Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 01:47

General

  • Target

    105009eac4890719b2811e55feedd52d_JaffaCakes118.doc

  • Size

    132KB

  • MD5

    105009eac4890719b2811e55feedd52d

  • SHA1

    eb1b641c9ec0f4f0fe7e0abee59e5aa187123765

  • SHA256

    30f99223ffd816be005e624575e8b4c1e7cb58951de9eb165e554139fa00e092

  • SHA512

    35e0065dfc4fb856a49b1a019ac1e0d003220d6a74a66e679dab20b7fd994cb830cab73417e774d2cb5ca1b980eea329186c11ad9805346e05f9ba1a2555c007

  • SSDEEP

    768:X6WzhXbXI3Lyb3PodHPTT8By+BFOguu8z0AZxvm8j12ob:d5b6LyzgLTOOgH85vfhb

Malware Config

Signatures

  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\105009eac4890719b2811e55feedd52d_JaffaCakes118.doc"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2492

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\105009eac4890719b2811e55feedd52d_JaffaCakes118.doc

      Filesize

      145KB

      MD5

      36bd90e75d42d5333319703c6959ba15

      SHA1

      12ee3b7460699e8b978f7952710bbcae40a7425a

      SHA256

      8ea2d35ea4289601aeb372e328e00d5b60c6e54367c191feb053453518867c9d

      SHA512

      7b60b5ad03df02688cbde94fede5df30b8024f44c011d5c3d62c76cab8d94d20a8e1d9a2aeeea19f73215cee0ce262849ce280e6d9d27fcca345cdee85643ffd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      52KB

      MD5

      fb9f29887edd4fa3ca6f193604be703f

      SHA1

      ed7b22508a70e5df2f8cb6360546f39496554ab3

      SHA256

      b4986af59f81ff856657ca6946c92b8112d10452a1138288928979e6ae743bc5

      SHA512

      1d6fd56a5e2e028d9f758f0b9d9d6040442e18f6a74c469d69338ba8d6d40b26d38135970941bf35e1e92073fa2139ce9eec12fe5f84c09c722004f4f684671f

    • memory/1044-9-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-20-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-7-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-11-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-12-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-10-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-0-0x000000002FFB1000-0x000000002FFB2000-memory.dmp

      Filesize

      4KB

    • memory/1044-8-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-19-0x00000000713CD000-0x00000000713D8000-memory.dmp

      Filesize

      44KB

    • memory/1044-6-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-21-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-23-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-22-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-24-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1044-2-0x00000000713CD000-0x00000000713D8000-memory.dmp

      Filesize

      44KB

    • memory/1044-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1044-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB