Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 18:19

General

  • Target

    12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc

  • Size

    238KB

  • MD5

    12f2ae873e891c0b2b43ffdac7f7d43e

  • SHA1

    d0f481f1a01470a68c0cb81ce3e491689c741dcd

  • SHA256

    330145ed03e314fa9939713c886f49ed7670ea82efd3de2c2263f1529736f469

  • SHA512

    f9d99d6039437715720d32dcc86eb99e3ce20cfcf0bd3fa6c34de0215c93bc64dd1e7000758cb8d67c0bf034a83e7076d3376617f2ae94b078e765e014c44a7a

  • SSDEEP

    3072:HAw1vPEfOgnPJceKBDaUGdSa9/LS1HPzVV:HAKvPEfrPJBAyU8mLL

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2536
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1324
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:692
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2252
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      59f86316edc0ca681fda0a15b36d468c

      SHA1

      95f05309d8a0d4ef3fa44a33f52e06f7e7a177ae

      SHA256

      906fe52e005d9cbb77ec030d2cc2ad68eb30ebb4d22d1e06bf8654224020dea4

      SHA512

      e013563800e05ce05350101fe718a51536133d25803aa7b468f450052ed2dfe801b5b0b53c9bf22694c2e112215695d99f1eb4d21bdc0cb449dda9ddc809e65c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD

      Filesize

      128KB

      MD5

      01fe571c7b100d299046aac00c2f61fb

      SHA1

      e734b94c88ac8e6e99ac5663aacd26bf55f0895b

      SHA256

      0e0cfe882e2989673c6bf664ad65781163648a7fd0954e9b3cf142b1163cad79

      SHA512

      88855a7096d50f24b801a3deafdeff62f3f81927f80a32b2d677b744822f96de0e17e9629aa1f4caf5a4a2f95f2b35a7e604af08515cce3b25216153e55197fc

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD

      Filesize

      128KB

      MD5

      83a364b08760da91f4d38cb7357c0254

      SHA1

      b085be0fae5841afc60bedcc33343ffe47dc5273

      SHA256

      95709051c5cf67510ebe66fb3f88ddfd7ccb802cfdbe99eb59070d25f86e3631

      SHA512

      6629800db3cc2a4ff05feae95d14fa15f9b73ccc20463050a464ba05773ac4a8d5f31178063c3da6d1f15d50fcb9c65f55d84295c1d58342a7e03a27709ce235

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      f854c8e0a2581f482ad3be59990bb2d9

      SHA1

      9b8f4fadbb12582e6946fecee120d3ef8e3ccfcc

      SHA256

      155f854568afd226f76b0277267e71ae3f81e6cd736f551d60138fd675e2868a

      SHA512

      4dadd3aee2ca7b3a7d7c07ce4b2ec9e39977f0fb5c64739629b9bda87c0bbfac64570954f2829b4c2c2e8a8f631a3b96e003186126391d80fff9044dd7c5641d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      620e31db01cf967eae893ac063d0013e

      SHA1

      21f9a243db6e89f237e896255793123741ede381

      SHA256

      2e4dae8f73371e534a8c52fdce2ca6502324d7a0526659ef9918227d0cf7b25d

      SHA512

      93536eb5379a5e4735a526eda15a9bba8cb6f9d693179b88ccde7c47a906f598551de3a368a4ef78278b45454ae7fbef2f6d3164ece36cc3392a1f3b7bdd9bf7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      b1911becade22a983b7e5a46f39d3bb8

      SHA1

      cf2e3e3e5e10722e468b511b563ceb97e431e71f

      SHA256

      1cc44616247bebb70cc9c1eb592bc8db5191f3c7ffc111281246b336aad1b905

      SHA512

      7f981d535d67cd684cc994a4d58f4c6450fef8f908875b1c58a2c941c8339ee4d0a58c67ec62b24ba0fd44e1c53d1acbb110ec75af995bb8f5c4e9ce074941dd

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD

      Filesize

      128KB

      MD5

      78113eea24cd557d6a45e39f52f4fb97

      SHA1

      ea32e9d23dd4c9119cd111a7aad371ac4e21d8fd

      SHA256

      285f43fb79ff7f3350ab47390c9dde54c2a816f712ec5884683fde4ff8c901a8

      SHA512

      8f68e2421338df024c415c51d8be3c5729e58edc8fd1c4b1f25e371d2e34f57f715c250351f38e3eeff6a814d602e5639a9c7e9aae1b827a2bac25be1e467ef5

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD

      Filesize

      128KB

      MD5

      78c0f69d39e08b86704de036d4310776

      SHA1

      3305a39316a85279de3db4ac1c1db197bc159eaa

      SHA256

      0c08ef4e2b11d9ec62b4c74d6d9c1947327d5652586a0756b612f55ff65441a8

      SHA512

      c2916e40515e9b7f54797262efd405a6ec90aec20594f6ef9f369a358dcdbb553063c5e7eb833b2867a8a98e0b8ff7ebc30ecdaaf5bd9ba02aff05152b486a73

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      c0346354fc75ef39f61cf239695c3360

      SHA1

      36944d2cca7e701f5e6f928f2bcd425e6ffb2c69

      SHA256

      370b44504054760ad8e7e13dd658317826c3b8c08bab8dd7f6893629ef88c315

      SHA512

      09f440f88a3e102bdd055287abf071cd40309feed907b9884509126a56b845c56e9b8ddc13fc7c07bb83f46ebeb12fde99f167bde90d48e14dd9aa6a8dff8f49

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      cff6bcbd8c108eda7a35b38c7d54f171

      SHA1

      69e5d5db88bb299f7eb787a8a1ad217595220419

      SHA256

      a02ff216aaf9c0cf65c85c878856e37755c5f377be9711cab2256dc996ef66b8

      SHA512

      ef9b1ac205d98fc33f993db59ddaee403324da29f45137ca86d26f7bc6d53acf39e02497a2f17d662f4d8cd207ba685205efe362ad62f3dab80a3980b58244aa

    • C:\Users\Admin\AppData\Local\Temp\{BF8F7CF4-329B-461F-9C62-03999ED64DA8}

      Filesize

      128KB

      MD5

      c9787a24422158a2a13469bfa7549d80

      SHA1

      c81061afa6220c4b7785d6af9550c145de8f4fd8

      SHA256

      95161efda3f0ccf8d482675590477b9c181917c83f99e5da69394b4a901c7bc9

      SHA512

      8df4d92a0aa05c1044d130437b6fd74b027e808b94e838f1898aa32886de969374f77d006b41addd70ba865ed9adae00e49a4e5b0ebf693a20724d8809869a21

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      65f83ca895707335115aea86826ec197

      SHA1

      9e2aa75cffe198859c2a57255073404a74908f80

      SHA256

      b037fb4d8f3e266206e04e43aea18f4568b1f18cfcc5118ff73e78820c7ab9eb

      SHA512

      1596bb7be6f51b4c3d7e24d14495853b89bc23611457ffa3b06f05afe2e29b02a175e399e0c7275c553bd5baf86ab9a04fd9dc6231018ede390b9da046cf6b8a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      74B

      MD5

      49b09ed076efa2f38c2b3fd2aeb2c925

      SHA1

      66646e0143266be702e9e31fb7ce6de3f2fc3724

      SHA256

      b9ce5aa004828447a1b7171017e850d83b4a129d6f3ea51d4ec2debe95aa1862

      SHA512

      dd4b1639d722eb6bcb28c5c5fdb0d1d5f0f2df4d113b5182e9fb1928368c303a44ac5687ac41e6c07a09e688a16a247dcc68e3ee24a3f83df687c02b0acf6d1c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      bbbbc38b2b990731418119e6fc3b3be8

      SHA1

      1572c14438edb66e691cacb4fc5c013f97d8023b

      SHA256

      e842d4cf99ea62043189be4a19ce59b258b68abbb2ea86ae67feac42d8d20c49

      SHA512

      02d8e77406ec697df7f127865bd15fb5b0f68b2b10a2637fb6b0248a8f95f35aa36811297e257597ceaddfe21f391db5fa4ef11413b1f8fb6ca305f3d7abd3cf

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/692-1054-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1045-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1074-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1073-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1072-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1071-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1070-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1068-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1067-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1066-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1064-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1063-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1062-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1061-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1060-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1059-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1058-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1056-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1055-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1077-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1053-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1052-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1051-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1050-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1049-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1048-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1047-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1076-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1044-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1043-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1042-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1041-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1040-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1039-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1038-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1037-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1035-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1033-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1075-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1057-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1046-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1036-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1034-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1032-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1078-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1079-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1080-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1069-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/692-1065-0x00000000006D0000-0x00000000007D0000-memory.dmp

      Filesize

      1024KB

    • memory/1324-1016-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2432-0-0x000000002F0A1000-0x000000002F0A2000-memory.dmp

      Filesize

      4KB

    • memory/2432-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2432-2-0x000000007100D000-0x0000000071018000-memory.dmp

      Filesize

      44KB

    • memory/2432-11-0x000000007100D000-0x0000000071018000-memory.dmp

      Filesize

      44KB

    • memory/2432-61-0x0000000000770000-0x0000000000870000-memory.dmp

      Filesize

      1024KB

    • memory/2432-62-0x000000000FCE0000-0x000000000FDE0000-memory.dmp

      Filesize

      1024KB