Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 08:47

General

  • Target

    598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc

  • Size

    200KB

  • MD5

    598bff4e2b5c5576a7f89b2afddebd5b

  • SHA1

    521de6d4c71a3112acadff900541ca4a49ce0454

  • SHA256

    18046a720cd23c57981fdfed59e3df775476b0f189b7f52e2fe5f50e1e6003e7

  • SHA512

    3908d100fbdea23e247d343bdddbe1e57c561f2d7fa268930ecc03cec6aeac07c0a2ef5824b26e960a449bf0d836577dd4ed4c1c36a7451ff5eda9e9e06377c5

  • SSDEEP

    3072:1eYfHU0QcO9XPh6I1VeQ5bohA5YvjGb/9P6vo1QsQc:FfvQc0/hLVe0ohyZb9/L

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2244
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 52
          3⤵
          • Program crash
          PID:2068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      36f4be6b331baa77d539011df91a14e0

      SHA1

      7f7afe544a89133ac4757f33adcc3eea79212dac

      SHA256

      d6cce6f98fdba7c762ff69b5f34a0074f07f275a285400a280999375946dbe84

      SHA512

      6289d056526925692e758d2e653869dbb952bd7012f3a9327197cbf6c19eb52ed05410bf1faa37aef85cff0438fc16882f0660e072ba82271164ca9dde6a9ef0

    • memory/2524-65-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2524-58-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2524-61-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2524-62-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2524-63-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2524-64-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/3012-27-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-24-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-56-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-68-0x0000000006C50000-0x0000000006C53000-memory.dmp

      Filesize

      12KB

    • memory/3012-67-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-51-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-50-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-45-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-44-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-41-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-38-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-33-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-28-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-0-0x000000002F961000-0x000000002F962000-memory.dmp

      Filesize

      4KB

    • memory/3012-25-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-66-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-15-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-26-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-9-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-10-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-8-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-7-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-18-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-16-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-14-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-13-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-60-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-2-0x0000000070B7D000-0x0000000070B88000-memory.dmp

      Filesize

      44KB

    • memory/3012-17-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-12-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-11-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-73-0x0000000070B7D000-0x0000000070B88000-memory.dmp

      Filesize

      44KB

    • memory/3012-74-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

    • memory/3012-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3012-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3012-94-0x0000000070B7D000-0x0000000070B88000-memory.dmp

      Filesize

      44KB