Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 23:08

General

  • Target

    13d329065149845e3706de293c4a183a_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    13d329065149845e3706de293c4a183a

  • SHA1

    8177857ff56b180159ff3a2083f6541a84d0ed33

  • SHA256

    ad11eefe614775a7e5473a13cb875d527a669771dd977f015ee1cfb5cdcd2d42

  • SHA512

    aaa2bbf24422216e7b5ffa991764d88c84b2be4bc5b4a493501fd10fa25e03f32784c3f1c6e1836bfd615633fde3bbb78a9e5610a1b09f78c824dbce6a0fdab0

  • SSDEEP

    1536:8terTkw9HnXPJguq73/IKB5Kby0gPFHrTPDyqK/dRYvb+/O7IS+TN0QV2y+N7yzK:8vw9HXPJguq73/IKBWyDydSD+A+Zwr

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13d329065149845e3706de293c4a183a_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8BAB0681-06BD-460A-B771-6B3179A02CA7}.FSD

      Filesize

      128KB

      MD5

      0429b1f56b347affb81138d62d84e335

      SHA1

      092755f3ad9480cb167ec6da1ddcb1cfc26a2d2a

      SHA256

      5d394f3bff8ec45b6cd680be893bbcfb52a531dad9bcc6ccd18be31ffbdcf54a

      SHA512

      e12f9dcc92f689d765d08805d907e5ec5f74babe1b43aa83c00a9dc7d2b9abcda1f390fe7fcb97361850eb282db583acecf77858b6ac792f320de29e0d1ae23e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      46305a8409d6d6e387e808b72e1a42c0

      SHA1

      3573ff31a99369cd4d4a64b213321cf8a9444a48

      SHA256

      ed2085f6d32e81d0e9bf4406db92c9436a3fd52bf744bb377a58832fd1886b37

      SHA512

      15a662de9a7a56cc04976253bc094cc5bffaf8e6a2cee0ea1677a47a67de21c53859b28b2e75ab2fca1d87a4b7d7b56899c89feee0846a32dd271666aff4d436

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{656BDB60-948F-4727-B091-B78AD092207A}.FSD

      Filesize

      128KB

      MD5

      9a3b4d7a5daeb458433076063d6a3b90

      SHA1

      217994af9e8290a4aa99615d1ff5af2a580c939c

      SHA256

      06036151d2358a669b2b24191721d8cda39d97ada335729f67c7060548d39bdf

      SHA512

      27e33c3847fb04e4d5742ffaf5858c916dc0127082668c371530de2285e1857373aadce8a81d331823dfae37c05bdc5f27007b8953fab2dbaec121d1619a9fd9

    • C:\Users\Admin\AppData\Local\Temp\{97DDE542-4871-4605-A6AF-711BFD2FB4DA}

      Filesize

      128KB

      MD5

      17f5a4f512137791530d29566f6aeea6

      SHA1

      69993fafa7ec78888619e63c188e7a9bb5912f08

      SHA256

      c3f2517050edad302e357a07de53525b6da0c1c4dd7632d7cc9ca7cd97f303fa

      SHA512

      b62e0cdeabb0e088febd33097f276222fb75599019142ec97348c0508aba78c2d1c3fe73acc0a15fbd2a0ba986ee59615b7575238011ca428edb474f0719c6c6

    • memory/2868-0-0x000000002F521000-0x000000002F522000-memory.dmp

      Filesize

      4KB

    • memory/2868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2868-2-0x00000000711CD000-0x00000000711D8000-memory.dmp

      Filesize

      44KB

    • memory/2868-11-0x00000000711CD000-0x00000000711D8000-memory.dmp

      Filesize

      44KB

    • memory/2868-61-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2868-516-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2868-517-0x000000000F920000-0x000000000FA20000-memory.dmp

      Filesize

      1024KB