Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 18:00

General

  • Target

    12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc

  • Size

    238KB

  • MD5

    12e470cf2ab1d4b29fd6ffbdbb77a2b3

  • SHA1

    d8b50f5e29aa03e86f4ea379603bbdaf3100f56d

  • SHA256

    9c7c3e7884ef015412487f4715467908ac7a53b9d757ad7f059b8b9c9bf2d3fe

  • SHA512

    51057c30d58e98316bcb54b5ecd8f8fa41281365ffae39375eb53b00a9418eff36f0a73c8241648f3e2e1101a36febb827792bc08da4574089922b3e8ff34fb0

  • SSDEEP

    1536:YterT1w1vN8M/EfOgnPJceKBCwbacKHrTPKyzK/dRYwT5mlG6JZbCAPonGy4msV:YAw1vPEfOgnPJceKBDa1wdSAmlHbCMV

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2636
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2808
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1264
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:472
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1544
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      662f5c3d7f371eb9aecb20fe8371a49c

      SHA1

      63c9c2f03cdd7adbfddf7543ef40645aad555c88

      SHA256

      9e0fc9fda7d1764d590f920f84086e772eef716f8223abbc41c6699286f340f2

      SHA512

      13e66fab093dcd0f79d3e833abb4ab96cfb7acde04aaac41131c93e497179df72e37cc4f1e852814e470c8034eae52363e5cdaa697abbfd2d6e108e4d1c62eac

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{734C1BDC-4891-4BB8-AC41-E2FEC5E86DF7}.FSD

      Filesize

      128KB

      MD5

      da031888f7eb366ac1bb3332d389469a

      SHA1

      b9d00782e64ada4c28b686ccb1b147ecc640253c

      SHA256

      992245f6f0484b7cfa29670506eb7454ca6130aef9a2d5e4dd8e7e72c393e0bb

      SHA512

      35d4f3799bba974eebbd07e709b8f17c61e7c8b6a01572e44833f8908ea024c5c4ab4253e6db18773f4ae726998a2233b4b5dfffec21b5955e40600a15492e88

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{734C1BDC-4891-4BB8-AC41-E2FEC5E86DF7}.FSD

      Filesize

      128KB

      MD5

      06ee387fe972805c622ac3db735c524c

      SHA1

      f47ae5f4b08afa489a083a9ec464140d093a6176

      SHA256

      d258b5d0690f6f623160ef0f76543820daf34e90371e9faeb399122f179d0491

      SHA512

      17da544418553b093feebbc286019dd4c565c196ec2c66d998fea661341a865669608094128393b783b477cb4e21d07152d18301b36fca552d0fbb987e9d364b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      08664bb8dbd9344cdcd1ec9909646730

      SHA1

      1e765baf6a51f865a296065e3329321fb3ee07de

      SHA256

      c2e47c35e0eaf762115ad08ddbb0c48117ab9618f82e74b589f675f7caa43ca9

      SHA512

      8b579d69a87fb7776cc05945c4246a021a2cd026dda2d4a2bd9780b1c0c8e4a2f0211eecf9b674d4e6431ac0a6c7267dcd582ae2ada3ccc83798351fa0015205

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      43d10d66e005786ef1eadff84bd12b0e

      SHA1

      065a78d6fcef3aac2319fbd3f1b65f160431db6a

      SHA256

      36d1d80101b5664998a672c485f42e79e751733a33c6006e4cd670b26bbc08db

      SHA512

      10b75ba29a7256ae980363967a715cdf5bcde5e8ef0d438248b8771cc6c922c498e3904404ebee8f7b5017d9b9cfcb9bb5b4b799ef1a698f4377a252efd946fd

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      19e51af02f9bf1f59bb29716812f3d7c

      SHA1

      d8959c4f0c76fe77bddafc802f3f7d6034415532

      SHA256

      2cbcc29b0b6614ec69598e053bbd208a4323f659f306fd32b33b055c244c9f02

      SHA512

      6515fb6453db90c7fe60bfb2fcd66d575b6223bbdd2fef981733ae28102b985c5e6ef2a309c023626e3012ce2c2a3c5d6799873fc448874fb958ff85f2b3c218

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F386B4AC-5074-46C2-A6BE-3F1D71D2FC5D}.FSD

      Filesize

      128KB

      MD5

      2a04f105b4630d3f705228b040d4e5c0

      SHA1

      7e5993ed9bd7c63a1e4f1b5d7e29974ef0d524e0

      SHA256

      94a1dd00ef388545883e88a1845569bffd2321562f788669eefe9476c2a6f946

      SHA512

      f5daca9c4d133d0eb184dfdfc7d21a3d92a406e5be1bb997272b0697423ef8d6856b6ccef12b13ef8e19ff5924d6eb4c5c2101e6bfeea50fbc95445eb5e2fece

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F386B4AC-5074-46C2-A6BE-3F1D71D2FC5D}.FSD

      Filesize

      128KB

      MD5

      dfef2753e1c4a6172c76ee5dbf3b5369

      SHA1

      b5b3827033058932931803faab8594f2d2d37f76

      SHA256

      bab1bd483054d08ba469c1430f5166e28900bb164fb607cae60a036ef7d8fb41

      SHA512

      08a95a9ae21723a5e01eda72b61219b7560dc5ffd82aca0829d38e59cedd4109c2effad41098e7a73629006be094c1f683b6a642a61e26ae95f5b4adc6ebe01b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      9dd5c5e5bd7a031599507e179c52738b

      SHA1

      64dbb3a2117e12fba06e83acd15c2e8cb16edd70

      SHA256

      602550d31080c69d779257299a46308c95053e3fd786b14761ba8461b16ba408

      SHA512

      ecdefc828e5ee67dbeda3bab2fb417c26c9a87f8fc7c758cf8b51d32fc18428faa0f8b13db95b9a2709ecfb3149dd399b2dd92def2df11419298bb6bb926d464

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      445a31ad906635beb41a17f6ef1f1485

      SHA1

      910d3b19eb6b018ba97b76c32efe0124106359aa

      SHA256

      03ca906cbdc9bcd391a62f6fceab5a9ccb252330198b87e4874e8223d0af0507

      SHA512

      5446f1558457efd65ce2bf5587c55dcd46de04a43536458815a2ebb302713c259f93543d26185332809b0d1fa126586728f2384b5361c618929e1eb881825a48

    • C:\Users\Admin\AppData\Local\Temp\{C3C763C5-0EFA-40CC-8F9D-533C976CD8A6}

      Filesize

      128KB

      MD5

      e5cd8c6a8442506d666f4a8e1e25d7b0

      SHA1

      9ea935ea71ab99d12b09086a0626e448ecb0cd05

      SHA256

      7800d190f0c4bb0c0e5049f8df49f28f501c1d9c736eaa3cbbb154fde8620416

      SHA512

      dd40e57db66eb41df7bea63e93b7fb94e0569bd9fbe471f07cbeb2dfc5722daabd41c231f85da92240adc72c8dd6cc2d05261072be9eb6a467c455cac6005a11

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      59c5549d9ca27f7a86ef45b21bb904d0

      SHA1

      fd5e9cae9088306c78595889f0b95403da1a366c

      SHA256

      12f089168ed38da440450b59598a5618c97393ca2ab92d118381c52ac7eb8698

      SHA512

      eded8b78ab6cf34cbdc98518540a9bd0739e376d76e27d97a4f93003cce2761447b0b942f289bf2e248973782d8a9bdf96186e1409d2cc6993045efaa397b43a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      461e8a1d95e5de6b764d5b213fe4f05c

      SHA1

      f7769d8722d920e8228befd1d890256af5aec049

      SHA256

      f50e7f6387361b644d27676793fa4c1124a8f887f2d614a8dacbd811876b97f0

      SHA512

      4105a19bdf72cd8f505b9c5173fe98e52494e9a6af3acfabff38434ffa9651cb726b7727fe5cff0cf63207402a41bb081fc0397e669390546dbefe398baa8c01

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2808-1015-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2864-0-0x000000002FAB1000-0x000000002FAB2000-memory.dmp

      Filesize

      4KB

    • memory/2864-61-0x0000000000430000-0x0000000000530000-memory.dmp

      Filesize

      1024KB

    • memory/2864-11-0x00000000713FD000-0x0000000071408000-memory.dmp

      Filesize

      44KB

    • memory/2864-2-0x00000000713FD000-0x0000000071408000-memory.dmp

      Filesize

      44KB

    • memory/2864-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB