Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf
Resource
win10v2004-20240508-en
General
-
Target
a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf
-
Size
385KB
-
MD5
a38fca264995aa49505ba8885d82df91
-
SHA1
a221e6de39137ea0fa0fc63dc29ea45d9402b407
-
SHA256
1825130b7f20a9b1b7c0ea8fcb5f5427d041c45a046bbfa1dbf1c0c19a4f7ef5
-
SHA512
ae5bc7a5c0b91e8b0629610e1f2534ffe515dcb6242b30917a2f9fa782e5322fd4bfbc5df0bea2069825dda7ca0a6697d61e51510e9e23503c8f5269d65cf337
-
SSDEEP
12288:QRoZ+Z/ideuN59QhVtn+IbcNypK+Gnu85iXOEuW:SFideur9Q1nZbc8pRt85G
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2724 1688 cmd.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2476 1688 cmd.exe 27 -
Executes dropped EXE 1 IoCs
pid Process 1060 saVer.scr -
Loads dropped DLL 3 IoCs
pid Process 2668 cmd.exe 1060 saVer.scr 1060 saVer.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
pid Process 2664 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2564 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1688 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2564 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2724 1688 WINWORD.EXE 28 PID 1688 wrote to memory of 2724 1688 WINWORD.EXE 28 PID 1688 wrote to memory of 2724 1688 WINWORD.EXE 28 PID 1688 wrote to memory of 2724 1688 WINWORD.EXE 28 PID 2724 wrote to memory of 2648 2724 cmd.exe 30 PID 2724 wrote to memory of 2648 2724 cmd.exe 30 PID 2724 wrote to memory of 2648 2724 cmd.exe 30 PID 2724 wrote to memory of 2648 2724 cmd.exe 30 PID 2648 wrote to memory of 2668 2648 cmd.exe 31 PID 2648 wrote to memory of 2668 2648 cmd.exe 31 PID 2648 wrote to memory of 2668 2648 cmd.exe 31 PID 2648 wrote to memory of 2668 2648 cmd.exe 31 PID 1688 wrote to memory of 2476 1688 WINWORD.EXE 32 PID 1688 wrote to memory of 2476 1688 WINWORD.EXE 32 PID 1688 wrote to memory of 2476 1688 WINWORD.EXE 32 PID 1688 wrote to memory of 2476 1688 WINWORD.EXE 32 PID 2668 wrote to memory of 2664 2668 cmd.exe 34 PID 2668 wrote to memory of 2664 2668 cmd.exe 34 PID 2668 wrote to memory of 2664 2668 cmd.exe 34 PID 2668 wrote to memory of 2664 2668 cmd.exe 34 PID 2476 wrote to memory of 2624 2476 cmd.exe 35 PID 2476 wrote to memory of 2624 2476 cmd.exe 35 PID 2476 wrote to memory of 2624 2476 cmd.exe 35 PID 2476 wrote to memory of 2624 2476 cmd.exe 35 PID 2668 wrote to memory of 2564 2668 cmd.exe 36 PID 2668 wrote to memory of 2564 2668 cmd.exe 36 PID 2668 wrote to memory of 2564 2668 cmd.exe 36 PID 2668 wrote to memory of 2564 2668 cmd.exe 36 PID 2668 wrote to memory of 2864 2668 cmd.exe 38 PID 2668 wrote to memory of 2864 2668 cmd.exe 38 PID 2668 wrote to memory of 2864 2668 cmd.exe 38 PID 2668 wrote to memory of 2864 2668 cmd.exe 38 PID 2668 wrote to memory of 2912 2668 cmd.exe 39 PID 2668 wrote to memory of 2912 2668 cmd.exe 39 PID 2668 wrote to memory of 2912 2668 cmd.exe 39 PID 2668 wrote to memory of 2912 2668 cmd.exe 39 PID 2912 wrote to memory of 1880 2912 cmd.exe 40 PID 2912 wrote to memory of 1880 2912 cmd.exe 40 PID 2912 wrote to memory of 1880 2912 cmd.exe 40 PID 2912 wrote to memory of 1880 2912 cmd.exe 40 PID 2668 wrote to memory of 2176 2668 cmd.exe 41 PID 2668 wrote to memory of 2176 2668 cmd.exe 41 PID 2668 wrote to memory of 2176 2668 cmd.exe 41 PID 2668 wrote to memory of 2176 2668 cmd.exe 41 PID 2668 wrote to memory of 2876 2668 cmd.exe 42 PID 2668 wrote to memory of 2876 2668 cmd.exe 42 PID 2668 wrote to memory of 2876 2668 cmd.exe 42 PID 2668 wrote to memory of 2876 2668 cmd.exe 42 PID 2876 wrote to memory of 1728 2876 cmd.exe 43 PID 2876 wrote to memory of 1728 2876 cmd.exe 43 PID 2876 wrote to memory of 1728 2876 cmd.exe 43 PID 2876 wrote to memory of 1728 2876 cmd.exe 43 PID 2668 wrote to memory of 2240 2668 cmd.exe 44 PID 2668 wrote to memory of 2240 2668 cmd.exe 44 PID 2668 wrote to memory of 2240 2668 cmd.exe 44 PID 2668 wrote to memory of 2240 2668 cmd.exe 44 PID 2668 wrote to memory of 2420 2668 cmd.exe 45 PID 2668 wrote to memory of 2420 2668 cmd.exe 45 PID 2668 wrote to memory of 2420 2668 cmd.exe 45 PID 2668 wrote to memory of 2420 2668 cmd.exe 45 PID 2420 wrote to memory of 1848 2420 cmd.exe 46 PID 2420 wrote to memory of 1848 2420 cmd.exe 46 PID 2420 wrote to memory of 1848 2420 cmd.exe 46 PID 2420 wrote to memory of 1848 2420 cmd.exe 46
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a38fca264995aa49505ba8885d82df91_JaffaCakes118.rtf"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\cmd.exeCmD3⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K i1mzn.cmd4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 15⤵
- Delays execution with timeout.exe
PID:2664
-
-
C:\Windows\SysWOW64\taskkill.exeTASkKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f5⤵PID:2864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵PID:1880
-
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f5⤵PID:2176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵PID:1728
-
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f5⤵PID:2240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"6⤵PID:1848
-
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f5⤵PID:1536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:1612
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵PID:812
-
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f5⤵PID:624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:1656
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵PID:1900
-
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f5⤵PID:2000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:2248
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵PID:1572
-
-
-
C:\Users\Admin\AppData\Local\Temp\saVer.scr"C:\Users\Admin\AppData\Local\Temp\saver.scr"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.exeCmD3⤵PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD569691c7bdcc3ce6d5d8a1361f22d04ac
SHA1c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA25608f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12
-
Filesize
179KB
MD5e126db86905556df3cdad9fcab6f9130
SHA1ad170e77e638ac2226e32d0297cbe94dc99f9ce0
SHA2564c2a000ad20f7528045ba87aa980c8a3a0163af02ae59c49fe98e1d4bf2cca5b
SHA51247bd1d18329626c2f21066d30a236b7974080d4e7c2bf58faff790ed54dcd636874fbaa006b368ee841751de6d97b3cbfba6d4c2079117e2cfe975e99a24cc4c
-
Filesize
709B
MD53f6c055f08307544f6fe6ac19a03b181
SHA14ea11b83b86134a7d32b7930ed76e6a8a6914975
SHA256eb9cc5ee32cd67cacf113b343e89d5daeab0cb007fa6904fcfa1fcab9c1d6816
SHA512780384f4a9985232766153b6fbadba18e74867fcdfac35d7dbd856cf612d5b2e32e12e2e8e040116240a827cf8e74fbe99063fd18423cb65b6ad590ec40aea64
-
Filesize
814B
MD58d8871b5077b8d24496b975a2f82719e
SHA1f9e34d642cb2c81e2ee8a5a68a5398729932b013
SHA2562aaddaaab59be3fc98cc976f878e92d9080c502d612cc42608697240044f3dc0
SHA5129e62b2413113344cf3b9bf65a6175ee8767fc7fe61265f700ad11344700f4fad623ee2b55144df5db333b12ebeedebdd01e62281b1130a869b48cf92346c4ff5
-
Filesize
185B
MD57b79ef1ecd4962abf5654e45c6008d5f
SHA1db6f36000caa7e8853490551a071b3ad28e07108
SHA2562e4d750174a9f30bb6cf2a1c3df497368d1f9c4537e96293c3a53d07b4d12c93
SHA512d2f6b1a262bac40c8ed5e324b014862db4dd603d4a51242c87f9e7889935b21555f9cffddf05d19514fb8c79a99dcc04ee8bd299298c5c75469be4088adf1260
-
Filesize
408B
MD5b3129b6a95db680cf911660ab17d7a13
SHA13c1a4fa57b8eb5d7655f6674718b331d1178ebce
SHA25656232b5be28b819dc07af5450612928f51fe29cfaa6bfe86a3dfdbfc3c5ee3b2
SHA5129d41200000dc3fc9f5aa0f9e7090ff8ad56befd9a06fec202eff9b3d2a48404b65e41bdf6d568633a05c33552c40c15defa286bfac70eff5ff622a5b7bcb3114
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
56KB
MD5852ec2df4ae0bcc4d915956e9f811eb4
SHA1f5d76bca6c260f7f461d089f2ecdef1c3b358122
SHA256e113671c7db918867e70572e775ad5b753836b604d5e2501c00e3e5055a3dabe
SHA512a365bf63605e445ba9ab2bdbcfbb98b18c3f72ee852d7b9fd49e21e07bc6c42d0315d5235e979071e6793a7348ce78adc91c601667545f092bc90c5218941899
-
Filesize
179KB
MD5924f5405bafeff937920173811dec467
SHA15ae0cdd62bf15121de3da44fc2b950ab9c212335
SHA256aa76ba33203d6cbd9796df14208fb74b85863816a380009b3dce8f2ffa9417e0
SHA512b5e548679e07b9ce5e074b1ee56da499d98c084d7de05bc89c6c78ba4293b83da10bb4a2bd22af8a9e5dfddc88abc883c07efb37d1f4f273772d3242c7ba3465