Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 01:44

General

  • Target

    143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    143cb1d36f1f16b09762b6847822d06f

  • SHA1

    726d6ab9d90892b7edf1d060af79b95bb124e277

  • SHA256

    e1c6a68a2ed3a1047ea46c2653c60bb1c111c7af5aebb0a67799b0e8b691fc56

  • SHA512

    8881939d0d50d1de73467e2202f819569e5830cc0277748eaac7a76e90c7f7657e335ceb6fa2733d3b99fa4d855a5dbbaebebd1314651aa82e02de32dbb1e689

  • SSDEEP

    1536:NtPrT8wrLT0NeXxz1DwetHrTPByf5J8bzj+dD1d38pkFiowm8MbIcd1k:N2w3keXxz1DfNYkoDz8pkTd8Mo

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3040
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2324
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2596
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1784
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2396
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
        PID:3024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        d847037c6965b3d9fd86b1a1a06be7a9

        SHA1

        d0f9107da7cfb5ae8b5bd1a8c85cc372d7bfc0fb

        SHA256

        dea01a7cdb88e6c77b0bd7d2d2b8008dd4890ae7ba551b9d83fc6f4d9955c793

        SHA512

        24be82b1868a12cbb4b09f217b441c0fc0600e214dd7dbd1e50ef15a0701f8e09c2d8008937d19c9c84cf682ab3bebc9e40ac3bc95dae1d9d54bff1e5f4a473b

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5DBF7A74-4ABC-4452-BA75-60F9EFC7CEF4}.FSD

        Filesize

        128KB

        MD5

        1cdc94c926e83c7c67e6bbc79dc7d083

        SHA1

        2e42ab5feb5f7720b1a3f7f418467e8516f1d866

        SHA256

        db11e23d616dcb8c4bdfc9492a76b5dcdd70f669a0cc1cce252243f86e199def

        SHA512

        6522622b18883a318110a48c13553e514b9a3aada8f49656b525874dbdb31ba6c0d637c75ba75a3177b46d2f75b51f7e0084c04adc79220716dcac657bfc1f6b

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5DBF7A74-4ABC-4452-BA75-60F9EFC7CEF4}.FSD

        Filesize

        128KB

        MD5

        ad5bd71d9c5d2a7c81956db5ba1740c2

        SHA1

        4ddcfa0a5cb5ead8754faf86c6380bbbc1239cef

        SHA256

        1d80189b425821d604c1606350005d76bdfa4881e3d782fb5a87acd4bb8b734d

        SHA512

        ba0c2f0583e9220b0d2ca1462f53e88a00e18db37f49665f2ad85e85e1940f5c5cbf81507e403be959918c52e513e6e3f2e8e56e5980de3cf6f7d68d450dbda6

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Filesize

        114B

        MD5

        ce9bcaa57c255fca954aa8a875f2e26c

        SHA1

        48861a9f324c7cdfe81169a3c5eac13bfca19584

        SHA256

        4ddb10d7ceeabd1eb9b472d59e214e40af3bb59181d6f731614029ad0337dfc7

        SHA512

        c91f6050a8f1f5587cd36afb79b6331a149bc84a8da992e5196a6aa44d39d77c0d47a954260eda496986158dec084f9f347efa9c3951cd3ad609363c1516a4ca

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        26e244d48976bbe8ea87e2ef2b0c168f

        SHA1

        f3c3f03a83f962069d14ee893bad4545f8c5a150

        SHA256

        b90c599fbfa071d7c5353415aef02bf88cf7d10657bcdebac2776c0ab1cdc63c

        SHA512

        e275e1d510e7be40eea264ebba68d644fbf3fe3d6612cf8c06873f106915ef2519c03522f479a6fd358c9d65408374a4acd2169cc60b9462d3b686da33b38983

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        bb63b66417ac6da3ba1fdcb80c4a1810

        SHA1

        12b72795c40d193dce12ae0606cf4464bd5cf51e

        SHA256

        771988d5d036d8bf06e1ea1383555cb39f1a8a676f593d210771c5f0e632466e

        SHA512

        8e97cf9cce34eb3fb7559317f3b809ce6aafda5502ca6a4317a4ce22cd4c312a0877e40f31c78cab597d6ad0b8659be85bdd605729179f0e312bf06c8aa7412e

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FD29B94-A4B4-4A66-ADFF-5ABB35E423FE}.FSD

        Filesize

        128KB

        MD5

        d6a4d30f60d39e5b12e830804aa9fdd6

        SHA1

        a5c8e255ad187dccbb9b85a794ee9d2ccf12e154

        SHA256

        528010de5f502eae4c1b6c93d4223015e9f6fba8f437997186cb28a51d1aa1a5

        SHA512

        7f8d08983ba7645e62f978ad771b725ae0fc757c74684dda1aa566ee4d8fb9f1cd332d0d22fe723408971e94d54fa85e1f5f2f59747141799651bbc56480953e

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FD29B94-A4B4-4A66-ADFF-5ABB35E423FE}.FSD

        Filesize

        128KB

        MD5

        7c28ff4013253865ba31242229df47d6

        SHA1

        a01a9583d29c324a6ea125c15fb7c4d9822aa090

        SHA256

        f1d0549f4f850ac26b1cb725325c13bb4c0e6bcc853698ecab5eff3c72207be0

        SHA512

        5da0b29c08f153301a6b24f7950c81ee065439edea8aeced960c441fe6428f91da3ee59d8ae798c859aac0698fc984d402e179a4cd26aa79048c92cb29ae9514

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Filesize

        114B

        MD5

        289f0086eee08c0d4e8cc092217278c9

        SHA1

        4c361e71b36596146130b2f1c621a1a1bfd2c0b8

        SHA256

        fe58e1a8a4308f1d3ab2d8ad67beadb31df9df58f24a6496ff1ccf9aef90f58a

        SHA512

        73fa6a99b42dcffadc08e9e23a0a85829bbf13685a92dda7844e960a0dd9d4ad02d6e5c4550a895130924dbf8ef6623f335aa2f1cbdd6e15a8a0ebb58c2bf2a6

      • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

        Filesize

        143KB

        MD5

        779f3675af1b7e2a7d43cbc259adc617

        SHA1

        ab9841b91e58c1727ea58672175758a58a229c28

        SHA256

        b3e272e43fec720d468a71146262858a27cda4a1b2d3076693cfd95377dddbd2

        SHA512

        6d426e7c743e68b0b8d418fc1f12ce400a522f26da29dbb8abc8172a36361c3a9c2d8aba51d02d8a7d61660ae73b5a4745578edeb142530906df2b9394ccba44

      • C:\Users\Admin\AppData\Local\Temp\{E128520A-CCA1-4DBB-88E1-BDF55C0A3138}

        Filesize

        128KB

        MD5

        fcf7923236fc41eaddf0ebb7c4dd62af

        SHA1

        dfee63f5702e53f96554e13a87970799e4a34f2f

        SHA256

        7ce23172180a3134447882d35a7a58ce1d545a94277a24f2b02c1478fb16644d

        SHA512

        e977f2781302c8cc38c853312d7c87cc69723bb17b8ddc96d92d8b6aeb9103c8bf414e00514098b893e91b1de80386dee11eca23bf923890056883c7747fb444

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

        Filesize

        36KB

        MD5

        fb6edd4dc81c508fe93d43f4a22ab79d

        SHA1

        d94df24adcb0d31eac87f600c652b000662c5d6f

        SHA256

        82633d05cba85f8ae06764dbf9244090a93b7c5b95df9ffd3043ab9dd7b406bf

        SHA512

        4c9f5f117f88065f07703ebf50c5d7149baab7a10aea79ad355db138dd08e10ae8ad980b34b30784b306c81673a4d8ab0b4b0ce0b3ce226dc16622eaf84ed5d0

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        c1447314e13e56b0b74305a3dcb2dfc2

        SHA1

        24694d50438d55d3a043e951c886217b305e9c9a

        SHA256

        8527e1def2adad0c9382a863bfc44f8a3bfe54f5053b945d6c889b282e46c4cb

        SHA512

        8aaced438fe1ea7728873a1b98a8781308622cc8dd53681880d889f9f6e82f7299ce472336f0d54ce10da5d198507d169d7a2983ec69c6ba20cbfb52e3e6ad18

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • memory/2348-107-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-103-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-101-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-100-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-99-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-98-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-97-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-96-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-95-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-94-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-93-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-85-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-76-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-102-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-104-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-105-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-106-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-0-0x000000002FC41000-0x000000002FC42000-memory.dmp

        Filesize

        4KB

      • memory/2348-108-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-122-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-136-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-109-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-62-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-61-0x0000000000550000-0x0000000000650000-memory.dmp

        Filesize

        1024KB

      • memory/2348-11-0x000000007194D000-0x0000000071958000-memory.dmp

        Filesize

        44KB

      • memory/2348-2-0x000000007194D000-0x0000000071958000-memory.dmp

        Filesize

        44KB

      • memory/2348-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB