Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 01:06

General

  • Target

    1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    1420ec37efaf76efa52ef5c6e34ebcf7

  • SHA1

    93ecc157cc3d9bb74f0a7b8ddf549ffbb8ec71d7

  • SHA256

    7dcb09c89a02bd8fa61973e60b74d9b3a6e694ea50701efaccc379e7ebd6e21a

  • SHA512

    6b72662d8f6d8433402ab1f942e32900c22140d5ef6fdf5cef1be4bec37d19f291b6096bc89aa29ca4d929b2178446c6c1144fae0563848e603463c5b1c24313

  • SSDEEP

    1536:3tPrT8wrLT0NeXxz1DweYHrTP3yZ5J8bzlKLDGUtI5lvCOxempK+C960WRW:32w3keXxz1Df0wWsxmlvfxvpCRF

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2368
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:332
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1920
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:3068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d55d93d74093c31f3bdf9b7917a8f631

      SHA1

      5cdefe184cd10ddec59bff45172001c875b66d0c

      SHA256

      761112680a6cf55a9cabff1e015550889a6362152ceea5d25115685b0e6286c6

      SHA512

      7a735e00477de3f763b2ddbf87933e3a48ff7681375fe06c1177e71ee1187499a03466db87feb5db06231ef7c240ad0a79d7bd25fbe309f4977b69655f2f2ca0

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E8A75746-A33E-4450-9176-59A2AA608008}.FSD

      Filesize

      128KB

      MD5

      237c02d42844cc04a425d628d23cdcf1

      SHA1

      67118a0f06089d03d28dba3769eeeeeb61ece430

      SHA256

      1bee92499507574cb4ab25051a1360ba8d465d2bcb1caf16966a4b4ed4b1614a

      SHA512

      718ff4cbd27f9e1bbae0953f63b45b5118c05e9678023e4b8605f66ff0e569eca20394a7d10099adb2ab6e79b0a031c1c46dc7af63fa0b25acf8ba2c190239c8

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E8A75746-A33E-4450-9176-59A2AA608008}.FSD

      Filesize

      128KB

      MD5

      5b5f097771e933533f108b4546babf3f

      SHA1

      71cf76f990bc3a92f2526439e82ffb9a8ffda363

      SHA256

      639ecb3e53c9065961d9d63df88c963bb80630dbe91484dbba99a5d9b29227a4

      SHA512

      7ac2bd6adcb9a44094ce0a10b867782eee36c74fb56016436342ad5590758e198655947b50a39e6f8f072587858341cb7af8a69c80d67fd35ed1eb1bfe5907f6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      e9b36451b936d027cd29951b629d0ccd

      SHA1

      826a009cc7b51d6c92d1f25507a2c8aff4cd3f83

      SHA256

      eaac0e960c65c216c4caf12c1596a283dfc31b0532e04e40fdbb75ee1d03cc91

      SHA512

      3ff0f977bea6255d2f654ca0fe4cf5a7d2202578d378b9675663c62ee0b1294e63cd0499d0a4b4781b7506d043c9eb1569606942669d11e42a57f40b9d7f1cf3

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7d948402879142a35ac57c95b73de2c5

      SHA1

      0374cf91d453e6a4c380a826564888cb7fd43b35

      SHA256

      770bdec56e81f447713c7d861a20b8f1be5b4a55171ff7529d5823da73eb492e

      SHA512

      4b3ddad17166e8954a63dd13d69046234671a70c95fbb40b7f31e9d3dada5dc7b3ce1fd212a323e4b6fa0f715a5c9044973fb3283561502dab13514460d52452

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{426DDA6F-DBE4-4A13-B1C8-2DD163F7637F}.FSD

      Filesize

      128KB

      MD5

      9ca1f6c57c1738e0e6ddaa5ad95d3870

      SHA1

      86d6f94c7b4cc0f71fbd820d4bf1e96f8b25c02d

      SHA256

      d0527b0bbfde77ebf8e0486f9198596984627330036fbdf344dfd1d83d77ecc3

      SHA512

      95cd0e4a7cefad24ff7735d3fa5ff94d7c6c8de3c3a8676df507e94b22bb8709826cbd7a9a120abefae808fba61fc776742f82c7d94e5efe49e17a936645f2a2

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      78833e8bd150c472431cba29da2a2f11

      SHA1

      35df07b1cdca4a18cc45d5c7dbb3f08a0bdf5fd3

      SHA256

      b683ae60de15fb1a6f253e9606d97406507f125df7968246f6ddb03c09abc46b

      SHA512

      3b389febe1edccaab54d8252e1d6a19923139128f9437ffd462f0e3b2245e1cf94e663a5ef4b0fbcd18af6780b32755447c1c3c608dc34a499b365050c5a4469

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      2e7fa647fab8c7239c2e1d03f79e0484

      SHA1

      848234b4e2f214d9040bc9fdd3edfc70d4ab02ae

      SHA256

      e39677048781e2f9b097dec2ee3de5e935d8f6832e5768956c762e2651bc61f3

      SHA512

      12237b17fa9ecaf3297e271453435161e00f6f13abc16a6ed5d3f85e6b6433a8978672842c035043e8166003848b72a51f6778f61639417df0c527a7b6c8df7e

    • C:\Users\Admin\AppData\Local\Temp\{CA9B2E01-B571-475A-8B1B-EEE10A6E1057}

      Filesize

      128KB

      MD5

      d4bf7fd436ff87a5dd20303cfcf92fe7

      SHA1

      823e845b79dff8aa42fe1f52639469b6f88e9034

      SHA256

      1aa5f25d237f7b56419e4dbc6b25fa5ba139ee523ccc61c7c72df2871a7f6627

      SHA512

      3c684fc8924d47d6da21b966e014e4f46ad4f5ee847ea951b5c472fff58ed18991ae1585fd1f06daa467de1356c835f0fa37f7e68a307d646a7101577fe408e8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      9fc0af7c0c808ccf8cd4bc7741b7bb15

      SHA1

      1e8182269b5d1f5dd7e3a5c13bbbd1ae9da9e15b

      SHA256

      0ce448fc761fb3edc462e017250303549c56707d81f47b248e0e9b00114e39b2

      SHA512

      9dd7f299115c73bc55a0f8668dcf93e549407ee3d39417b90c575574ebfb391ee6bddecd4db17bbf354d0304e0c77dacdf17795eeb09c7ff25827faed7725983

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a6ef33ffb2ed19e7e72b1be00a2a642c

      SHA1

      9775176140e7a16a7b28bdb9f1d071257a278c23

      SHA256

      4b8e26c281dd1d0aaf2af78720498ef6cd78e50b03f4b1cc8f6298ab05e4ff91

      SHA512

      4d1390f52d781516d3c2809ea15bafb9861bb0ce336617ad9b83bfc89489e46651aa565269949b5007474cbaf5294aad5a0c6a7c81a8b13d6567a8119989708c

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2236-14-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-62-0x000000000DBE0000-0x000000000DCE0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-276-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-114-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-63-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-325-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-373-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-471-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-423-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-181-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-61-0x00000000059F0000-0x0000000005BF0000-memory.dmp

      Filesize

      2.0MB

    • memory/2236-228-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-16-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-580-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

      Filesize

      4KB

    • memory/2236-15-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-17-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-18-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-13-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

    • memory/2236-11-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/2236-2-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/2236-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB