Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 22:01

General

  • Target

    17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    17af5fd0abdcf35f5755cb8c78080a60

  • SHA1

    48e2b3435afe4d7c8de78c16ede4823558f6ebf4

  • SHA256

    0b2ddd1c2bd35706570539de72475504fec9d4f2545bc59eeec4aabb8fb6532b

  • SHA512

    7420a2678a63d568da3416e1f639ce5f826acf159529c14194dc17303df63cd211726bd49f5c841565fef4e55a6f0ebdd4c08d2fcb23c13270c206ccd7554fe0

  • SSDEEP

    3072:o2w3keXxz1Df4q/Ozmma/yeJ3eatnxsVkd7q6:o2kkeXr7sBJgnRd77

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1584
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2292
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1744
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1700
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7ebcafdccd334e9e82d4e9b8b95b9c55

      SHA1

      35df6c1cbe33d4d1141b750e0d46e304e3f56264

      SHA256

      6da97ce3c3218f1f4efae23bfdd917e0607907c32e46dc06dcf667b8116298dd

      SHA512

      56a74f27551fbb9444f362b83dce83cf9d185eb3dee9044d7d3e249d0fee77b4cc26d6f2432db1d5c4ab84b2f333a538dd786153295a0e885f0ae7f7f4d28f7b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D2E590D3-41F5-48FB-8279-C7C02EA8B5D1}.FSD

      Filesize

      128KB

      MD5

      1c25230e2b4aee6fbb908041e5424a14

      SHA1

      ef46ae1e7eb2e700e68bbd2bae508a6ecd05aaa7

      SHA256

      d43a13e25fb5bb8eb641c6517bed480a9ecc919daf129ddf3d260ed3166173a7

      SHA512

      6e223cc63addd9e17168ad9b1d1ec0af4182634f5429c62786807ceed052855d4677b9e28e1970ac5b63af3358fe2ae52399845df3e51af011868a3271d796eb

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D2E590D3-41F5-48FB-8279-C7C02EA8B5D1}.FSD

      Filesize

      128KB

      MD5

      6bce52ba53b3a612a58f20b8c28086de

      SHA1

      6162b7f5e5a52267f893d2aeeeec2e1bf22d88bf

      SHA256

      d92136ebb73e85f04ee208309d82bd3ee9f331f1c5459daacd88754422b61ce8

      SHA512

      16b23b3c289f165402d2cea97c9126c81576618acc9131c0ac8d8cddda2f327f2ccd61e51e2d4801bdad7ac80cf5620713d0210300f1bc7147be34276b2c6654

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      fab6ac4e0ea12064f1b7daacb9cb3c5b

      SHA1

      de48a37ad9685c9649d3481380ae533a90cefe8a

      SHA256

      7a3a9398d2e10db17c3174a082a2cd878f15f9ebaf1c680500f019b998e4ecef

      SHA512

      f5ef88d1e4e996dd83e9772a5e7efcf313a50003a347ef62bd2bd957111d386d50fd0410b52fc492a6d893adb387f55d2de4bf2b9938a65b82288f484cea946b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      6ce1285aee929c44c086c079e998b66a

      SHA1

      d7c84fc64029d9303fd0e6b7d489c3a212436d0c

      SHA256

      2dc058c1d6a213e2867337492dd09e24113b599b51752bee12346ea34f287b9f

      SHA512

      57308c260c5b83948d6013672998d9dea4bbd93715fab942d8b0ac3d257a058601e1dcaf4e18ab71fe661787183a0692ae60727e450a353fa4e63f4d0ab8b688

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      5cd368d8ed6f30815bdf5b5ad4ba8784

      SHA1

      585cd09bbbb5f81e15206457ee684735c2b46f6f

      SHA256

      3b645b49d3140dedf89525330479b09f577b8c9d37f93380eabb21363bf17ede

      SHA512

      e374f7ce0ee8aa90dc4ec08fef1a380e012392e53d6c54f7ac0ca57a60277798e0ba394f788bc537860ad3ea96313e695ef93dbca545c632d1ff00ca503045d7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{914FCAB2-8D8B-4AC7-A76D-9B0F48384FCC}.FSD

      Filesize

      128KB

      MD5

      fb870464b1a20494ecf06203555284a3

      SHA1

      6ecf144e3105daf8d3e0142cebc41185fb457d1d

      SHA256

      35a6030759dd86ea2994d07a71761fc12cc068af967ab6884e64183df43580c5

      SHA512

      726756502c5032b0196ccc13c2294e4df706e3e50727cdf63ace478474b21b055b8d5e3a8068a54792269153c306d142329082685441afa06d28fd496b6bb3fa

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{914FCAB2-8D8B-4AC7-A76D-9B0F48384FCC}.FSD

      Filesize

      128KB

      MD5

      24837da35013d377fadacdf3633e04e4

      SHA1

      d79d9b48914a51ef1582137d85fc7c7b8508d498

      SHA256

      b88d8da2956db3e4b4fe8f07cc793b8c7c8d983efb4455b272a84f9544303cc5

      SHA512

      79e0e8c9a4e3e83b7cf7f278e66aa22152d65414240046728dfcc7970a187e34ebd3e4af5fb1a52fb997b3147a60b9bf0752eda489bbeb0ff3adc7f5e317fc1e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      8a2987d6aa6f93a1b0bafdad99ed2017

      SHA1

      47681156b157a1e8e08685552257fd017654adf3

      SHA256

      ffc62dfcc3ce070b70639b4fac50759bfcfd6ad63af1ff95642ca39299cae7e1

      SHA512

      2de85afd9dc1f16e92ecb95a686b3adfcebb99d2305f964bb95ba99f120656e32268f1379dcd9db127efa894132f6f638fd1b9f3d1cbafcb1fa5861cf1d9d0f7

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      fcc445cf0aabf75936ce410bef5988ae

      SHA1

      633066a0aa6cb0df7e9c0b29a0737e22d06e2845

      SHA256

      80fe30dc7f6978eed68523267a8a6eed400c1ea27580d004fd25cdcf48902c5c

      SHA512

      579b2ac5da0c5854407b63847e56dafdfd36364954699dc85e1c1d0797686ef4b08a7178ab3e44fae119493927e57eafd476f3cb99ab3c8448525879a79683ce

    • C:\Users\Admin\AppData\Local\Temp\{97FC1902-EA14-4FC5-81E7-C7BC7937F25A}

      Filesize

      128KB

      MD5

      b74e2f01f42ba33d2e09208630049a44

      SHA1

      ddcaefe9bcbc66b741b9e2fb6fb5899bd344de3a

      SHA256

      822d543b5073b73a218358d195f485cbb584d56b39528d113ab7277b6aa52b21

      SHA512

      c5511e50180d7337c2d11f2acdbe74980889e042e324f710b71f0b05931608c6e4c69689ba7ec916da5749688fc5bc3a1f3f6d629e38e702f246f16f64eab2a9

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      70201520e58484131157ab31a659b192

      SHA1

      0b42b76b586398f362239eb24024068ba0b0ab05

      SHA256

      a8237ae9184def54188fac193477c285649a7d9dcd53230f62e89bf5f0ee4925

      SHA512

      06af80ddcc26f9dbf7441a8ac6724313b5d880d9eb92ddba63d91e5a1ee2bf6b840862f2b6b35b10e6983fc4d5aadd506b090b589d748edf33c438c6d004064a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      b55cdef9d5df989f08b9445d339cefba

      SHA1

      041f183c1fc398dd33f8bb2bcb3f8cc33ea0fe4e

      SHA256

      cdd2b7ca4b76a9f7b90b1f7a5edf101b3634ea23ecdd6d22638f0f8908368fc2

      SHA512

      08bc2d6b5479db7f5902a846d7c7134187c5a457582956833b37f8295b9b50592fce6c93ba379afbe83a8bdfe9f06a725a3826fe67b50c11e36bc7835f1dd76f

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1584-1021-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2860-0-0x000000002FA01000-0x000000002FA02000-memory.dmp

      Filesize

      4KB

    • memory/2860-61-0x0000000004560000-0x0000000004660000-memory.dmp

      Filesize

      1024KB

    • memory/2860-11-0x0000000070C2D000-0x0000000070C38000-memory.dmp

      Filesize

      44KB

    • memory/2860-2-0x0000000070C2D000-0x0000000070C38000-memory.dmp

      Filesize

      44KB

    • memory/2860-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB