Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 21:59

General

  • Target

    139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc

  • Size

    243KB

  • MD5

    139c97de52e861794cafdc86d34f9b7d

  • SHA1

    8a69051ad621132516402232c5e6594128e5d40a

  • SHA256

    7463acf559948ee3f801df867cf2d77197ca16928ada5527fa26ea5210cd1809

  • SHA512

    4be2fe3c42a9436a27095b1787eb97054847acbcae771f94db17a5ccf82a73102d708c6c8b301eec64acb52727130eeec37f50b1a9178e6150ba2720bb8826ae

  • SSDEEP

    3072:GOw0pklIiuq73/IKBds5OdSwdXFG07tG3cY:GO5pklIo73wABUoXF1ZGMY

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2748
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      52e5a9ee170cee6b964fcdbf40576dfa

      SHA1

      56c22241fbbe7996ff71fe18d3764227ae539843

      SHA256

      d4359be5bbb8e3c211b2f0d8932154ae454f25ddb6a4a55d7f6a2db7426a4d0f

      SHA512

      bfb612afcc3d760553dff7532df75b3f40f7ce0f9d7cab4ac8278d378e23b351b5e4eab10beebcf13023fd3a821236eff7557a2f60b5510baea159e242497bf5

    • C:\Users\Admin\AppData\Local\Temp\{97334EA7-2626-4068-BA27-487A48ADFE4E}

      Filesize

      128KB

      MD5

      57bd154a402a10479a8fe60107cb215a

      SHA1

      bb28607b468aa4f63d99e0c5c0b79aa49fe608e9

      SHA256

      c3b8a51ca741c15f9863e4f9a71daa1680e6ac62bf6ec5826d4e6c265d9d06c0

      SHA512

      0a770fa1c2cc32c33df479dc6611b278d9d491f02b928bf9e56d0ce728bd30deb50064ed9634d09617adb5d7add9e627305cf150bc839e46e74600084443cfad

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2176-0-0x000000002FE91000-0x000000002FE92000-memory.dmp

      Filesize

      4KB

    • memory/2176-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2176-2-0x00000000712FD000-0x0000000071308000-memory.dmp

      Filesize

      44KB

    • memory/2176-20-0x00000000712FD000-0x0000000071308000-memory.dmp

      Filesize

      44KB

    • memory/2176-70-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2176-525-0x0000000000520000-0x0000000000620000-memory.dmp

      Filesize

      1024KB

    • memory/2176-526-0x000000000FDB0000-0x000000000FEB0000-memory.dmp

      Filesize

      1024KB