Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 09:20

General

  • Target

    117f3a2a5e90cb3f3bccdd1128940acf_JaffaCakes118.doc

  • Size

    40KB

  • MD5

    117f3a2a5e90cb3f3bccdd1128940acf

  • SHA1

    f24c55abdf6f0fdfcc55fd2ebf27bc83a4d54285

  • SHA256

    650bcebc63f16b4f18822f432bd6ee93312ec39e673691794a4ad9b8ff1f842f

  • SHA512

    bf8cfdcb46bde5e9e2e296fc4054e0d17248cb9bef1ad10bf65daffe2ff938fb8344b83882b935ebdb9e3adbc1c4159da6bb9c84981545d55f6171d6963c12ef

  • SSDEEP

    192:8KfbTuJc6FHRBVySwLY/YRYwv1q7Ub1GwVzICmI4+HSKQgg7NbaUDA6B1GOn0DAE:8qy3Aqwo79+HSSg7Y6nZMAuPEldj

Malware Config

Signatures

  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\117f3a2a5e90cb3f3bccdd1128940acf_JaffaCakes118.doc"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\117f3a2a5e90cb3f3bccdd1128940acf_JaffaCakes118.doc

      Filesize

      59KB

      MD5

      ee8be30c4081f52b4383ebd370962ef6

      SHA1

      95e4645eca2863d00c56136089a6136dd1ae327f

      SHA256

      20a98fd39411e5bcf4b58f56d1601e102e4f5ca9d74ba2fa5416a3efc3bc65ac

      SHA512

      64f49e39f4a3156f40c5e8922a2efb806de0bef48d369269a31fe3745e6775db8f79de69ba66e3d112863a0c2214e12266ae82c959e91707fe4943395e2975c6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      25KB

      MD5

      f2c4f4a567caa7134d3991060ec057b2

      SHA1

      dfa35c7062eeed148cd4ed30b8a526ac393536af

      SHA256

      746f991bf8bb5de89fa3e198e910f015004f0111854bb43d388ea22f1d8401a6

      SHA512

      100573b7d70ec59d0400adac72e2f1a16931fe5bd15e33118320187042da774ecacbd6f40e7d4f34ee2a581a74d17dc2829c70b14aaa35c4e9511fe85a8eec02

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      25KB

      MD5

      60ad4777fa691108cb36121aed5cbe25

      SHA1

      01274618f3c18a05f0d0966b892dcdd0d97a5cbd

      SHA256

      3543fabb0c0d951c27ee1b1d3b1b6c56bd92d55445cc0280bee9bdc3e49e2c68

      SHA512

      0d98a851ab147194f8bd42d34696fbd2f8ee6e021f34fc849519d8b1b430297a6d29cffec346d65ef707b3f5d5679152c7957e5674df8c216494a13d7fa3c036

    • C:\temp.tmp

      Filesize

      2KB

      MD5

      96a161041509c6e2749b2f08b5b326d6

      SHA1

      213dfb516a2a27049f7d44b7fb572ec71d5262dc

      SHA256

      5d642219a79538a9b873c90c8c807b490d971d2bf9e3394454387fa519cbbbfe

      SHA512

      00280ef226fe1cd51d583b061bf37889bf6befbd9fc45d8f16011e8a89db2609c532033d6386a59b8e0c1f11ebba2f57195467c3bb79d81d23064d0c0f466873

    • C:\temp.tmp

      Filesize

      225B

      MD5

      519755378e58a854e2bd4652f7195193

      SHA1

      eca94844a06772a58cafa8bb4fccb054cdb450c0

      SHA256

      b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

      SHA512

      b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

    • memory/2676-18-0x0000000005D20000-0x0000000005E20000-memory.dmp

      Filesize

      1024KB

    • memory/2676-17-0x0000000005D20000-0x0000000005E20000-memory.dmp

      Filesize

      1024KB

    • memory/2676-0-0x000000002F5E1000-0x000000002F5E2000-memory.dmp

      Filesize

      4KB

    • memory/2676-59-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

    • memory/2676-60-0x0000000005D20000-0x0000000005E20000-memory.dmp

      Filesize

      1024KB

    • memory/2676-2-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

    • memory/2676-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2676-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB