Malware Analysis Report

2024-10-16 02:52

Sample ID 240624-w9cqcazejq
Target 0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118
SHA256 1cf48d24a4f484c485f7160ee6717280ca8ae1d3daf01226c40bbde2ae715c0e
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1cf48d24a4f484c485f7160ee6717280ca8ae1d3daf01226c40bbde2ae715c0e

Threat Level: Likely malicious

The file 0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 18:36

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 18:36

Reported

2024-06-24 18:39

Platform

win7-20240508-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Vgr1Tjy3LJRCqiPWfIuKWbXliWFaC0be:Gf719055 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Vgr1Tjy3LJRCqiPWfIuKWbXliWFaC0be:Gf719055 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3D8A62F-DE28-465B-A8E2-FCC28C36B823}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2896-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

memory/2896-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2896-2-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

memory/2896-11-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

memory/2896-61-0x0000000004DB0000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{61CEB773-D649-4494-B618-2D7F707058B1}

MD5 2f1bbe579069f6fde21a093a4c1b7e0b
SHA1 411f8af0eb1527e42a4f1af64a5924f0b789a1d1
SHA256 fa976cff2583e5d71489cbaa2bd7090f90657fd0310a51f6f889a4ffb3053da8
SHA512 4e47f77d62b5157b02c7dff11c966686fcbd869b6acf188162bc3e5001531c67dc26eecf3789bb81ca72a6a9702cb4b63ab4477fb3e187de67e19db34254d3bc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B2DBC54F-F0A5-4A45-B597-1F89EF9CDA24}.FSD

MD5 87b4dfe0d1b9ca35b99c59546736952c
SHA1 df9f67d2bcef7a43ec3d476dd1f893009d5c3ac4
SHA256 cd9478cea9e2d256b5922c4867610d105111f7eeec88d768d77743ff231bff4f
SHA512 cfeb64d2174c4ac7d97aedc6e756b4c504f1adc9146d98c5f5883adf2efe8a9cee89ebd0695179cf3434da27fdcaf4ff3045aafa7f38859ba64d7399f4d1d66b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 b3344d5604bf1519b2dbce5d679308ff
SHA1 cc3f8296e912bcf06ea0caf18cb5d3dfe773e3ac
SHA256 2e27ae29181ccf7438e15d4b8afe98b516263e12b76be4c900f30bf32d651c36
SHA512 cc1d39922b59d8057b5f874c02d0ca7eae275f3022a740eb735c3c153e985db259f90ee279e6c40b79b15d41d7643c015edf2f9fface8e26e0a7ed63b4966b0b

memory/2896-573-0x0000000004DB0000-0x0000000004EB0000-memory.dmp

memory/2896-574-0x000000000F350000-0x000000000F450000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 69c266548d1b30386a8cb3627e2d4dab
SHA1 daa86bcd73d5a4a494a4a122452ce03652ecd44e
SHA256 b2ab6a748cbb6dd2801d3a47631dd149ce490f74604b8ab54aad29c989da7dc2
SHA512 fc8cc252375b7b66bece26d5ab881a5a77e51bac6bde6bc5d68d9598db3a460e1d8f7c4342d725b62a249a6d83612dcf56ec27b49d512813304eb5f16ed1d0be

memory/316-1017-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 24a7b2778728d8709ef207ac5199bdc7
SHA1 16a5854c798803a3cb24c4d728df62093d1c43ea
SHA256 1510d5bdf826efa1d59e3186c26e4c3cd878a82ea9d2f6a6be3bb3ab955fab17
SHA512 531f911054111466d8c8af7e6f2078a8969e7e36188b4affe1004a5354d2481b4f2667e745a1abe6dc5f67973a4f13023e2801154b0eb4fb4c0d5c5a0ff50906

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 089239942684c2174caecc1854936ce2
SHA1 51b49806880d7c42a7471aa99b6f54cc138d58f9
SHA256 de01f47953600828db74c21d5ea657488a2714d51ef49f838cd53d43c437debb
SHA512 cdeacd7d71f69919043c75a9c856340dd04b6816de2ebb8862ddb55b43d8dc428150b7b0eea51b32a4a27618d8fe0f17ca839baa2953a260b6acb707c67c6e32

memory/2952-1042-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1041-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1040-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1039-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1038-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1037-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1036-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1035-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1034-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1033-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1081-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1150-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1104-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1056-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1055-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1054-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1053-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1052-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1051-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1050-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1049-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1048-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1047-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1046-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1045-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1044-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1043-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2952-1095-0x0000000000640000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F95257E1-D2D3-46CE-888D-87ECA2DE168C}.FSD

MD5 c668cac175c60917e0699dc118e7edcf
SHA1 b4c100b50bd9a41a15b171c562d1aab33abcddda
SHA256 ce61fdd80a9b3c7a931d341cc220787aed40c34acdd62fc0dda770d407d2db82
SHA512 098e756080d068d6f34a78c0003aa9ef93658868ae39e6d5bfd7ac6069161e27a79284db4b593f6a735871dab86fa80e80f38568ffd8370e1a52c2e4b1fd669c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 d6f0ac0fd1c45b08c9be7ff4be3e1cd1
SHA1 ecdec2d07983326dc818306075b4074ecf478fec
SHA256 01d9cf34adce775d74fb4f8859a25493cb57e6da06634260fae9309428d33c86
SHA512 b3ca157c720b982dcc4a8ccb2ae6d93885513089fbf35b9a08214a78e63d9841987b29ef1c2abc3d0b573925a8f2df0d9a6318e885dda51a5b7b40b22e3ff610

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 b2191f329a60c05427c29cc79764e928
SHA1 15cade5b915487cacb1edc488521f2be0074257c
SHA256 9c98f4790ee7f8826f38be6a280f4f1274838f739fd79249ae793814a359ba7c
SHA512 aa4d2e00f38991e5d311e7791f44bf2b784858dfb29dad29a3014c6a8343184680956378238b3f5706812dddc4cae65ed976efba581d4c8404b1f602c42a2efb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B2DBC54F-F0A5-4A45-B597-1F89EF9CDA24}.FSD

MD5 e0924a8bdc929cc5a04088de6d0de06c
SHA1 cf2c27dfcbac9302580ffe2d87ade189aa8d321d
SHA256 d93ac54e8f5e2ede795e1dc081f5ead155281f2e7b73c0928c65d94377c8f452
SHA512 251f7afd873d5e4d153fe2a638ac292a305b33a54ae1103d411c5a3485817ae6ddda7debcb6506353fcdb2f1c7e307b5ab55f02a3af41087ad046fca01a2cadd

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 cad50a39c2f48d4b2d96d9434462f4f6
SHA1 08ec42d0fe868d78727f58277eb61d9693066b52
SHA256 d97427088874da8b45c0214f5b98f09c71354858aa1c78bb9fbb3acce8ff244f
SHA512 7b2b374c8a67c4e7a44b41b840d416c27c63627833f8b01275f47b68c2ae3c4a7e5ed5b25af682150eafe23e64956e97b0ecf5707afd156200ae5ebbfc39527f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 0263b709b3d06e1b103554aa92c87930
SHA1 f9538a3c21b46739481bdbe05fb15e31c91c04f3
SHA256 0d8c0f5c2c8b56a00edeae9ceadb9ad301b873ea25da12db4149959440adec0f
SHA512 c3688077fc09b40ff7436c648acfe601d0dfc1b93bc661a963cbfddce619b4296e21fe6927ded0ca0b417819e73dc373278b4149d6d40a9c6136d5846cc6ce12

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 18:36

Reported

2024-06-24 18:39

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a2ca4dfeb6fb200fdb264593ebb3add_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 2.17.251.17:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp

Files

memory/732-1-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-0-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-3-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-2-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-5-0x00007FFD098AD000-0x00007FFD098AE000-memory.dmp

memory/732-4-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-6-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-7-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-9-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-8-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-12-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-15-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-14-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-16-0x00007FFCC7540000-0x00007FFCC7550000-memory.dmp

memory/732-13-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-11-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-17-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-10-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-18-0x00007FFCC7540000-0x00007FFCC7550000-memory.dmp

memory/732-19-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-21-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-20-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/732-517-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

memory/732-572-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\81D5CCC4-C177-4662-B22C-649E56FE3813

MD5 30f3e9268d2e31ec0655f1db843b7ac9
SHA1 dd2b7d358011a25b5078e01a8b5c7b41aa02dde9
SHA256 ea43d70b61ecc21a82c1801e23a095a070630634821e7f74c742c40df4044bd4
SHA512 d14ccf95add2422e3523e116b06561a5725c35bfe0f85389fe7ea2d06ff25449406676d022827dbb76cea1f39e8eb33452b0fab09877bc11a382d72a6e671f40

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 424109e3d7b0aca8c97058d2dd77ec73
SHA1 b2a24fd5c68f900d2fd8eaf92603eba5a1478fd5
SHA256 0e01c8ff37cb54ad414eb15b0a3979e33eea9bc998be1e9dcc2fbed6b76d1eaf
SHA512 8501459de38998122d743d94da3cf3c499269e1a4e9cdffe1204fe08dde34b65485a214c82a6a2ebb5d9bcfcc097ae2d20d306ace2d0b410303babc63df491e3

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 5cf25909d999692d89282d869371e066
SHA1 d89e6e281a617aa4184e422727b751b2ea426a02
SHA256 4f2ed7b26ff08c7b011d49127d33273ed19571ef195b6f6ee951a62faf2a952e
SHA512 280d44d28b20d0d91c772192c6424a2f4c7cb602c264d1550de664790d08681989a38b61f1e38ba701cded66c65664ddaf875c94c5a5b87afa8316b77f6b1b41

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 09456d1fec7839aedbdf74fc1bd948af
SHA1 12aabc516520ab958e227edc1378a1fbdc1b6a43
SHA256 7a87f4720f0853953248aba0c9830666d4264d8ca95e8e250d5811cfbd94ce28
SHA512 943ec070d1db21372d106487bd9f6155a2e03cb5f24ee97a6436c7905d86a99c9106db613831fcd48326b46f5490cf3fb273dc12fb119440096cf32ff0772426

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 b548e4bfacfff0dcf76375220a7b4505
SHA1 9f4d8c6b4b58917f67e3b9d62d08a7ce9a04671f
SHA256 bdaf6dbcd07c985592d698403cdf46b31b2bbcfa2055d3b92c5771d779b3194b
SHA512 c899e560ffa4f327379b6fd8be98c4dab9a1adbfd77ca6797e9bd9e246664d8e344dbccda661160aa242b9e0c24749089c408c2a8486de51b8e816e25c1db62c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 71c4c773a6c963539a6d59f44e582f27
SHA1 3cffad44912876cba516596a91b0f0a829738c67
SHA256 c68d8b4e2d585e4c9adf3c35eba0745d74a7f689f9cffb5057d61b742d61251f
SHA512 eb2db1ff2c899c7d430620829a525e3a6e0e64d530a90664f69ac9beaaabe4af0d108f0a035966c3a662bb7c9f575fab16446ff98c317c4d07ac4530695b9018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 c456860a2f449d4ae4da35b50d026859
SHA1 099fcabe24502f07a5b27df363ecea7d038f247a
SHA256 f8ce4ba7123143cdb4b4e2be7054b64e36178c8c9902213fd4bea20595795ee6
SHA512 e0f5d7b4b915694ad6758dc401a4b705aa27fa8ea1409d8f55496d1942e3ee7f7a8dff7e90b3f1cc84f9584f896e0424323c054b577499d0d487481ef343d3e8

memory/4212-1554-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/4212-1557-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/4212-1556-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/4212-1555-0x00007FFCC9890000-0x00007FFCC98A0000-memory.dmp

memory/732-1564-0x00007FFD09810000-0x00007FFD09A05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 ee37b6c5fbd4e3e706689de84d7c15c4
SHA1 07a7c4720b3489843908e659f1043e7bf1f3d947
SHA256 90c7f0b0ee9cee5a1594d9dcdc5b5955b1f0351a9e39ae8e28169e10722e775a
SHA512 e2e59bb5bfe20ef8d83b53e3c5070284c1c485a8cc980cef4d8df93a1c0829b6c61d78071aa3ac2e55cfcc3a73c9b7426816622be961ce5b1f144113fe7eac12

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 134b5d4a84513e5eeb66a38d4d3f82a9
SHA1 2ec0f004224095eaf70c72840c6355b518ec4f63
SHA256 f955542de1f4e77a0035c3d55f923ea3005c677f968b93268c4387aa9f5a38bb
SHA512 b47f7e97b53dfe56852d0889dc0f18542f47f69b1009b78d69ab8c512b79ec25b01fd01cdd22279c2ec54267156bb99417b3bb2a26bed0b4935260a625d8aabb

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 b80f492d62f3ac26027702ff69065936
SHA1 19e46656ae6748a2845067c6b668a2280c79b100
SHA256 e7bff3dc6b89833084361d6fd2a8960f3815f604ca5d475703cf441112c44323
SHA512 287fc3ffdc796b478cbe6432f6e6dac8fb24ba74ac388fdc80bf2d219554a7b653f4571706f69bbdfefc4707bc23c206572378d21f0671ecac769e031bea5d32

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 28d4bee52c4dbbc21379b55e0473a315
SHA1 157c14fc59e2a2e37541ff2568f4d2f25a5f0d16
SHA256 73aed759db9aeadb6bbaf429e3bd6a8ff41b0dd3ec136c6430ebe3c225f84764
SHA512 21dfea03d784bde642ae6960fb246fa19f19dbe05a787c1938171030d494198c93100eb5dfc39d1f89910d0f04445d1456e12e28fb41798bdf05d9b45b801a55

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9