70d44165f308acccfa77bfb60a7592fdd38c03e2a403745effec31e3fffdc3e4

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56cbbea8535c0e8ae967fcdec17db491_JaffaCakes118.doc
Size

6.4MB
MD5

56cbbea8535c0e8ae967fcdec17db491
SHA1

2829de0b258610b9e3279343661700ca16694a45
SHA256

70d44165f308acccfa77bfb60a7592fdd38c03e2a403745effec31e3fffdc3e4
SHA512

ed21ed9c5bb9db184a11167bf4452e63e434076d34522f36a2fc251805fae288aa3a25e515adef630636ab12bd865d110f9c60d08b09cc104aae65a84e9be7bd
SSDEEP

24576:nJBLCi8+IgnJMjDH9ZwiLC4JgGrM7vqNYeYwIstYXTLgQQ5MDcLQUrO/Z1WQ0mtD:JBLCph6rRDp72DwnH

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhostdwm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\memdefrag.exe"	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE
1728 WINWORD.EXE

pid	process
1728	WINWORD.EXE

pid	process
1728	WINWORD.EXE
1728	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1728 wrote to memory of 2552	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2552	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2552	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 2552	1728	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\56cbbea8535c0e8ae967fcdec17db491_JaffaCakes118.doc"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x000000002F7A1000-0x000000002F7A2000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-2-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/1728-6-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-7-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-8-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-14-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-55-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-68-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-217-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-67-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-66-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-65-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-64-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-63-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-62-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-60-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-59-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-221-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-429-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-277-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-276-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-275-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-274-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-273-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-272-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-270-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-268-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-267-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-266-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-265-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-264-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-263-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-262-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-229-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-228-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-227-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-226-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-225-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-224-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-223-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-222-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-220-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-219-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-218-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-271-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-269-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-57-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-56-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-54-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-53-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-20-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-19-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-18-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-17-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-16-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-15-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-13-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-61-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-58-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-12-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-11-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-10-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-9-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-435-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-434-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-433-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-432-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-43496-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/1728-43497-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-43498-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1728-43499-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download