Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 00:49

General

  • Target

    1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    1414c7d6863ef79a8878e10827c160fd

  • SHA1

    fa5329e778b093e2fce434a3186206cdbf36a966

  • SHA256

    a2b7c46680fa78c6b81870b168e3bc384b7b88162825c89c6a83f83aff0dea8a

  • SHA512

    73c56958eaed34e107e4320d6656f6b90203284eadca29bf7d84fa97a563901db62438639799b79eafab49f5b0483e78cd9d41cfa6ccd0219b88f48df9f3483b

  • SSDEEP

    3072:7vw9HXPJguq73/IKBWy+QdSWn1duBJMhY:7vKHXPJi73wA1UWn1gJ5

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2740
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d8a93dfb61e428bdeba399f34bd088b2

      SHA1

      3926cac3b22115e89123a69581463c031f5dcde2

      SHA256

      5d57ec59821a31c1cd53ba450556cfc5e7f3d050fd68fe4e0f655811c238d722

      SHA512

      f99144ac3e9b601742b09f641004a5f89313a09704de452f91fb2b7237e043aeac48b79e2218659a1c7cad4fff6b02a648fba46dc2e3462c5d9e8c2d28e593dd

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      0c16fd322f1be4bfb575580878af842f

      SHA1

      c8b4ec13c577ecd4d5e58b48497b24bf9a9f4dad

      SHA256

      b7b835597cc65005f0e7c37d515c781928bf61c59f6416493afd4b00bcc4103a

      SHA512

      9788afee93fb263aa4e405b3456750dc1aa507d72ad2ff94a53ea17b5ff6b657e9de039734cde3f37616a9bf23f45336d2220da9dc4f8abdf93cfbbb8fc2f840

    • C:\Users\Admin\AppData\Local\Temp\{A97A032B-09A0-4A49-BAF5-92FCCF705B9A}

      Filesize

      128KB

      MD5

      285dd8ee8be205df989c57019fd1ee81

      SHA1

      c852893f437ecf125612935e4c65f3495b45d9fb

      SHA256

      74877baa957161be5af19c41d0d8dd54882b6cffe7aa8c965e19415b09d298de

      SHA512

      294c9620b8cc2ab3eae31c545e2f04448b05fb29a3ba8e745f50f4c68b81543115a800ea1db3455e35c9062e87a801089c00361e478d907d1423afae92152a7c

    • memory/2184-0-0x000000002F5D1000-0x000000002F5D2000-memory.dmp

      Filesize

      4KB

    • memory/2184-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2184-2-0x00000000712FD000-0x0000000071308000-memory.dmp

      Filesize

      44KB

    • memory/2184-11-0x00000000712FD000-0x0000000071308000-memory.dmp

      Filesize

      44KB

    • memory/2184-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2184-516-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2184-517-0x000000000F370000-0x000000000F470000-memory.dmp

      Filesize

      1024KB