Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 09:34

General

  • Target

    0d90edfcbb8f4af95278cbbfa66b9dba_JaffaCakes118.doc

  • Size

    38KB

  • MD5

    0d90edfcbb8f4af95278cbbfa66b9dba

  • SHA1

    5285aedae727b78325c822f0d1c85dacfb4add15

  • SHA256

    992c4c8dd25f82f419a7bf1d937e4d9bc2ef477f151a0df1759fe1a9d53f3ed6

  • SHA512

    9b871b70f235747560937a4ad16c279fa91552b0d2e2135672d62f20f3f559d47a940ec8e76276f3df3251b8ac0dbd5ad57944ad5f23c6b5dadbfbecc5e7439c

  • SSDEEP

    384:3cOmrM/EFk8+h43eLSUTxwFxxOub3nEGV5HJR:MOmmh4fFOubb1

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0d90edfcbb8f4af95278cbbfa66b9dba_JaffaCakes118.doc"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0d90edfcbb8f4af95278cbbfa66b9dba_JaffaCakes118.doc

      Filesize

      47KB

      MD5

      88835acb280f29b76daea5f26e06d0ea

      SHA1

      c559ae89c9df087aed281971dfe6c8d9ebff3fb2

      SHA256

      6893d70d5212dfa7a89da9aa383a93cfd795350482275016963257b1dada7cb4

      SHA512

      2f3c0ffb79e1226eb05e6d9f87679f31320f6eb7ac0eb101c0942dc1e70e18ef1902bc69d7d96c398a10e8a24473d372234927154ab50da6819e1bf3582f71f2

    • C:\Users\Admin\AppData\Local\Temp\VB20CB.tmp

      Filesize

      304B

      MD5

      15fe7318201665e352a6662aa7b79bdd

      SHA1

      35f8a1a6f4b89ab5aa48490f27f3c9ba8491a61d

      SHA256

      0f0b99a939926dd1da16875bb2fa91fbbecc18452ade71631bc221d674f5e29d

      SHA512

      d27c0af75ef93b6a3ac00e9cb0fad2fa0f0e4387c7db54cfd54889fbe9b778437d85402a8601a0df5ca769925cf127ee8a48fccd3473390303777ae289567f9a

    • C:\Users\Admin\AppData\Local\Temp\VB20DD.tmp

      Filesize

      566B

      MD5

      2cd47dbda7ff0bf79ce558adc8f5c99f

      SHA1

      2d909d82b9440d81ddd0eff1e5ab19e5d1cbfb47

      SHA256

      760b7a5cb7b22c4c258db29fa6e0a7e5f2607f9a1bcd456d3f2128f38c73a292

      SHA512

      5a8d04bc9a30f24635628cf0b39e26a5539cba0f464977b7bb2be93a1b7bd01cb6e450088335a1931942192812dedaefc480531fa715c64c55ee1fe1c7169bcd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      24KB

      MD5

      c29d0b60b0a402f37029a4c7c38947a0

      SHA1

      cd6baf4d002490f3644b23f0e1ccdfc2fd80582f

      SHA256

      5cc290c67d181451976acc6dbf8ab4565e6771ceed8862a0f8abc8a7dfb100ef

      SHA512

      4b6ef758373ad61a73a207eaf2ce7073d4e9de66022ea20255d74c4a016b5323cf44a7dbc0b5c4e7d175470f4f3ec55ca1aa38bb440a16af28d786eae345f05f

    • memory/2116-0-0x000000002F261000-0x000000002F262000-memory.dmp

      Filesize

      4KB

    • memory/2116-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2116-2-0x0000000070C8D000-0x0000000070C98000-memory.dmp

      Filesize

      44KB

    • memory/2116-8-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2116-29-0x0000000070C8D000-0x0000000070C98000-memory.dmp

      Filesize

      44KB

    • memory/2116-30-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2116-33-0x00000000059C0000-0x0000000005AC0000-memory.dmp

      Filesize

      1024KB

    • memory/2116-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB