Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:39

General

  • Target

    a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf

  • Size

    385KB

  • MD5

    a38fca264995aa49505ba8885d82df91

  • SHA1

    a221e6de39137ea0fa0fc63dc29ea45d9402b407

  • SHA256

    1825130b7f20a9b1b7c0ea8fcb5f5427d041c45a046bbfa1dbf1c0c19a4f7ef5

  • SHA512

    ae5bc7a5c0b91e8b0629610e1f2534ffe515dcb6242b30917a2f9fa782e5322fd4bfbc5df0bea2069825dda7ca0a6697d61e51510e9e23503c8f5269d65cf337

  • SSDEEP

    12288:QRoZ+Z/ideuN59QhVtn+IbcNypK+Gnu85iXOEuW:SFideur9Q1nZbc8pRt85G

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        CmD
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K i1mzn.cmd
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 1
            5⤵
            • Delays execution with timeout.exe
            PID:2664
          • C:\Windows\SysWOW64\taskkill.exe
            TASkKILL /F /IM winword.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
            5⤵
              PID:2864
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Windows\SysWOW64\reg.exe
                REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                6⤵
                  PID:1880
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
                5⤵
                  PID:2176
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2876
                  • C:\Windows\SysWOW64\reg.exe
                    REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                    6⤵
                      PID:1728
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
                    5⤵
                      PID:2240
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2420
                      • C:\Windows\SysWOW64\reg.exe
                        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
                        6⤵
                          PID:1848
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
                        5⤵
                          PID:1536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                          5⤵
                            PID:1612
                            • C:\Windows\SysWOW64\reg.exe
                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                              6⤵
                                PID:812
                            • C:\Windows\SysWOW64\reg.exe
                              reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
                              5⤵
                                PID:624
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                5⤵
                                  PID:1656
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                    6⤵
                                      PID:1900
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
                                    5⤵
                                      PID:2000
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                      5⤵
                                        PID:2248
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                          6⤵
                                            PID:1572
                                        • C:\Users\Admin\AppData\Local\Temp\saVer.scr
                                          "C:\Users\Admin\AppData\Local\Temp\saver.scr"
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:1060
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
                                    2⤵
                                    • Process spawned unexpected child process
                                    • Suspicious use of WriteProcessMemory
                                    PID:2476
                                    • C:\Windows\SysWOW64\cmd.exe
                                      CmD
                                      3⤵
                                        PID:2624

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\ParT1.BiN

                                    Filesize

                                    1B

                                    MD5

                                    69691c7bdcc3ce6d5d8a1361f22d04ac

                                    SHA1

                                    c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

                                    SHA256

                                    08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

                                    SHA512

                                    253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

                                  • C:\Users\Admin\AppData\Local\Temp\ParT2.BiN

                                    Filesize

                                    179KB

                                    MD5

                                    e126db86905556df3cdad9fcab6f9130

                                    SHA1

                                    ad170e77e638ac2226e32d0297cbe94dc99f9ce0

                                    SHA256

                                    4c2a000ad20f7528045ba87aa980c8a3a0163af02ae59c49fe98e1d4bf2cca5b

                                    SHA512

                                    47bd1d18329626c2f21066d30a236b7974080d4e7c2bf58faff790ed54dcd636874fbaa006b368ee841751de6d97b3cbfba6d4c2079117e2cfe975e99a24cc4c

                                  • C:\Users\Admin\AppData\Local\Temp\i1mzn.cmd

                                    Filesize

                                    709B

                                    MD5

                                    3f6c055f08307544f6fe6ac19a03b181

                                    SHA1

                                    4ea11b83b86134a7d32b7930ed76e6a8a6914975

                                    SHA256

                                    eb9cc5ee32cd67cacf113b343e89d5daeab0cb007fa6904fcfa1fcab9c1d6816

                                    SHA512

                                    780384f4a9985232766153b6fbadba18e74867fcdfac35d7dbd856cf612d5b2e32e12e2e8e040116240a827cf8e74fbe99063fd18423cb65b6ad590ec40aea64

                                  • C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScT

                                    Filesize

                                    814B

                                    MD5

                                    8d8871b5077b8d24496b975a2f82719e

                                    SHA1

                                    f9e34d642cb2c81e2ee8a5a68a5398729932b013

                                    SHA256

                                    2aaddaaab59be3fc98cc976f878e92d9080c502d612cc42608697240044f3dc0

                                    SHA512

                                    9e62b2413113344cf3b9bf65a6175ee8767fc7fe61265f700ad11344700f4fad623ee2b55144df5db333b12ebeedebdd01e62281b1130a869b48cf92346c4ff5

                                  • C:\Users\Admin\AppData\Local\Temp\ufFm.cMD

                                    Filesize

                                    185B

                                    MD5

                                    7b79ef1ecd4962abf5654e45c6008d5f

                                    SHA1

                                    db6f36000caa7e8853490551a071b3ad28e07108

                                    SHA256

                                    2e4d750174a9f30bb6cf2a1c3df497368d1f9c4537e96293c3a53d07b4d12c93

                                    SHA512

                                    d2f6b1a262bac40c8ed5e324b014862db4dd603d4a51242c87f9e7889935b21555f9cffddf05d19514fb8c79a99dcc04ee8bd299298c5c75469be4088adf1260

                                  • C:\Users\Admin\appData\loCal\TeMp\gondi.doc

                                    Filesize

                                    408B

                                    MD5

                                    b3129b6a95db680cf911660ab17d7a13

                                    SHA1

                                    3c1a4fa57b8eb5d7655f6674718b331d1178ebce

                                    SHA256

                                    56232b5be28b819dc07af5450612928f51fe29cfaa6bfe86a3dfdbfc3c5ee3b2

                                    SHA512

                                    9d41200000dc3fc9f5aa0f9e7090ff8ad56befd9a06fec202eff9b3d2a48404b65e41bdf6d568633a05c33552c40c15defa286bfac70eff5ff622a5b7bcb3114

                                  • \Users\Admin\AppData\Local\Temp\nsi30D1.tmp\System.dll

                                    Filesize

                                    11KB

                                    MD5

                                    75ed96254fbf894e42058062b4b4f0d1

                                    SHA1

                                    996503f1383b49021eb3427bc28d13b5bbd11977

                                    SHA256

                                    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

                                    SHA512

                                    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

                                  • \Users\Admin\AppData\Local\Temp\palindromist.dll

                                    Filesize

                                    56KB

                                    MD5

                                    852ec2df4ae0bcc4d915956e9f811eb4

                                    SHA1

                                    f5d76bca6c260f7f461d089f2ecdef1c3b358122

                                    SHA256

                                    e113671c7db918867e70572e775ad5b753836b604d5e2501c00e3e5055a3dabe

                                    SHA512

                                    a365bf63605e445ba9ab2bdbcfbb98b18c3f72ee852d7b9fd49e21e07bc6c42d0315d5235e979071e6793a7348ce78adc91c601667545f092bc90c5218941899

                                  • \Users\Admin\AppData\Local\Temp\saVer.scr

                                    Filesize

                                    179KB

                                    MD5

                                    924f5405bafeff937920173811dec467

                                    SHA1

                                    5ae0cdd62bf15121de3da44fc2b950ab9c212335

                                    SHA256

                                    aa76ba33203d6cbd9796df14208fb74b85863816a380009b3dce8f2ffa9417e0

                                    SHA512

                                    b5e548679e07b9ce5e074b1ee56da499d98c084d7de05bc89c6c78ba4293b83da10bb4a2bd22af8a9e5dfddc88abc883c07efb37d1f4f273772d3242c7ba3465

                                  • memory/1688-0-0x000000002F191000-0x000000002F192000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/1688-37-0x0000000070C6D000-0x0000000070C78000-memory.dmp

                                    Filesize

                                    44KB

                                  • memory/1688-2-0x0000000070C6D000-0x0000000070C78000-memory.dmp

                                    Filesize

                                    44KB

                                  • memory/1688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                    Filesize

                                    64KB