Analysis Overview
SHA256
0f4398e0650408b59d516bef26254464e99dc0ba48b10607ebe76f3957f7bb89
Threat Level: Known bad
The file 7ef121597ba88b20dab4c8216e3368d0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Office loads VBA resources, possible macro or embedded object present
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 00:32
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 00:32
Reported
2024-05-29 00:35
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02287391-E9CA-4CCC-ADB7-DBBEEAC6C77F}\2.0 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02287391-E9CA-4CCC-ADB7-DBBEEAC6C77F}\2.0\FLAGS\ = "6" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\TypeLib\{02287391-E9CA-4CCC-ADB7-DBBEEAC6C77F}\2.0 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\TypeLib\{02287391-E9CA-4CCC-ADB7-DBBEEAC6C77F}\2.0\HELPDIR | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 1624 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7ef121597ba88b20dab4c8216e3368d0_JaffaCakes118.xls
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\XTrdWkza\ER7IrMs\uUpkAa9B.
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.premiumclube.org.br | udp |
Files
memory/3032-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3032-1-0x00000000727AD000-0x00000000727B8000-memory.dmp
memory/3032-7-0x0000000007320000-0x0000000007420000-memory.dmp
memory/3032-4-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-13-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-12-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-11-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-10-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-9-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-8-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-6-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-14-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-5-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-16-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-15-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-28-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-26-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-42-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-44-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-43-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-41-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-39-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-40-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-37-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-38-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-36-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-35-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-34-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-33-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-32-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-31-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-29-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-30-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-27-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-25-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-60-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-69-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-84-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-83-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-82-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-73-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-71-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-70-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-68-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-67-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-65-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-63-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-66-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-64-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-62-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-61-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-59-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-57-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-54-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-58-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-56-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-55-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-53-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-52-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-50-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-48-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-45-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-51-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-49-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-47-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-46-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-24-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-23-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-21-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-20-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-19-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-18-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-17-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-22-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-87-0x00000000727AD000-0x00000000727B8000-memory.dmp
memory/3032-88-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-89-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3032-93-0x00000000727AD000-0x00000000727B8000-memory.dmp
memory/3032-94-0x00000000007A0000-0x00000000008A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 00:32
Reported
2024-05-29 00:35
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
127s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1308 wrote to memory of 4392 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\regsvr32.exe |
| PID 1308 wrote to memory of 4392 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7ef121597ba88b20dab4c8216e3368d0_JaffaCakes118.xls"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\XYwiefeS\kbHaLR\dcZtpFfm.
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pemuda.suraunurulihsan.com.my | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
Files
memory/1308-0-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-2-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-1-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-4-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-3-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-5-0x00007FFB5EF0D000-0x00007FFB5EF0E000-memory.dmp
memory/1308-7-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-8-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-9-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp
memory/1308-10-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-11-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-6-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-12-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-13-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp
memory/1308-14-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-17-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-16-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-19-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-18-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-15-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-35-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-72-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-139-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-140-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp
memory/1308-159-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-161-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-162-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-160-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp
memory/1308-163-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp