Overview

overview

7

Static

static

1

0b421158b4...8.docm

windows7-x64

7

0b421158b4...8.docm

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b421158b4446e71a29bb984e676203b_JaffaCakes118.docm

  • Size

    166KB

  • MD5

    0b421158b4446e71a29bb984e676203b

  • SHA1

    85ed3ce00ae8451187af4cbdacd5d4cd8058ea53

  • SHA256

    cc08c6c000650dacf80deb89af139bc0cfdfef52abe8e67aba288ab2fa428f34

  • SHA512

    598c85cc7b5a39f138cd79587fcdfa99ffac7bfbfb974fdbda7af12c9b164942487052d58a8e1d6bfca383d6f013955e4a34b09641ab26f73538327a1c073f05

  • SSDEEP

    3072:UyvES1XRJHB2yrlqx1Jxh3Sc7g2QhxmKiIrUl9ugcnSE4BcyYbbSa5haqbk:UysmXReuGJ3ZsqK5UknSnbgho

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0b421158b4446e71a29bb984e676203b_JaffaCakes118.docm"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BDB2EFE6-ED46-499C-AC41-D9AE81C2374D}.FSD
      Filesize

      128KB

      MD5

      4e094a9f74b9dd617a58d51b8dad7716

      SHA1

      bab739591f91d90c33a3c0161b0ad3d5ef375af4

      SHA256

      51d77c5161e0f9ba2cf25073fcc8e1463df99bcb5d23786b7af31c8a1277d64a

      SHA512

      0ce37367366fa9d06b093dc07fccf7bd4c01df1242ff9c47c523f53fd3fab06e8ec0df261922ad6ec46b61aefb7f950f9844eb6a9e929101d8180634543bf4e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      21e0a2de87ecb28d19a7df7282082f23

      SHA1

      5c7eb5f2cefd0cf5a3fcf357cb20b31d8c4a0adb

      SHA256

      352457098e1b4ce870b9799689d4bcc11d7bb7ed0c3763fd1c56ff93537ba113

      SHA512

      0f926d0fc861d1b5de761e98bc255c94c73faa65727ca0b1d5c83f4c3287838de3f27b7b8a8fdb297e86c34e3e7a2e66aca50d0873cddc9a12913238453fe46e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0195E376-6FCC-44C4-B660-1F55DBBBC6A0}.FSD
      Filesize

      128KB

      MD5

      ebf18266004e8908a0bde96bcb2a0f83

      SHA1

      bafebb31cd07a820f7a5a0f88c787f870395d4f6

      SHA256

      ad394fe1552d69c121d56a4fbbd5db202c12889be4a657103762f7379dae31c6

      SHA512

      a7d166b98b88ca2550d08c1ddf5038c9561d79f2e7e557d4ee18fe504882d96ad2d954e690b96777bf1be909dc8c191dd404508bcc5b759b2eae72df691040c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{0CAC5074-AC55-4A6D-9A25-41387470BEF7}
      Filesize

      128KB

      MD5

      796d2a818a3db281f7fab16df3881abb

      SHA1

      671fcc269d9ab21e3f1e82a2442ba389d178ecbd

      SHA256

      f7130743ae6fe7fb44f8707090a488f0ff834c71883622ad09c46b2947567781

      SHA512

      9409595f797f456e413a3f644d1c26760f3106feb6c687225fd23cd23a6c0b8c8bbfa5184feb2976a198449e8264a56747f0c68265463fe471450120e2ff9c7c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      caaede0803ebb2c16ce6c70b8e574f40

      SHA1

      2d2bb336d28d3a776b66247b2ecb04f0eab16713

      SHA256

      bdf7647b905cb9324da3fe5bdff680d576405aaca2607d95578ea1f9ea375076

      SHA512

      9c6c8ecd6ae5c5eed1f400db1e7630ff0a0ff256b8480f0a655882f147ae953ed49f970925d8b961aa997fb083e2c8c1cbf3432c67301d0964ce709d7dd4e14a

      Download Submit

    • memory/2916-0-0x000000002F1D1000-0x000000002F1D2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2916-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2916-62-0x0000000070C3D000-0x0000000070C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2916-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-95-0x0000000070C3D000-0x0000000070C48000-memory.dmp

      Filesize

      44KB

      Download