Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 03:47

General

  • Target

    1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    1491c287740240a8f4c6c717f9a319bb

  • SHA1

    2fed98cdbebd6e633294eab55cad490b8bf61576

  • SHA256

    19705f9fc9d4926d05ae5d51e9b92701224de3c8aa0613658e2b2e110ca275d1

  • SHA512

    e0262611b67e03f92be519f63748fef3c823e901952ef5020a9efaa780ee033ee0ad85429fe7b0c7c8ac7fcdb47fd1d9c46ab5c858e15e331e8fb70a09f63f64

  • SSDEEP

    1536:RterTkw9HnXPJguq73/IKB5Kby0g5hHrTPzyaK/dRYdP+C14BqGxIX9Dc9n:Rvw9HXPJguq73/IKBWyFidSIC1U3WRcN

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2644
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      b0c7a529acacc59aacdbc5fd5598834c

      SHA1

      627931057293bc2be8f658bb45d6ed389dbbd784

      SHA256

      a433a65bc4bbad814dae8478c81e16f2fdd4d9864fe396abc0fa802e6654c376

      SHA512

      3a8c8f8898336792fe3ba6324da87476c95b7b6e6012f08c38a3ceda07b43fd7d6c3e37360eb5e061dd59fc72ebc3d8df8606522f34dafd5319958e854838dc1

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{17B00821-EC9E-41DF-870F-0F17BBFDD9B1}.FSD

      Filesize

      128KB

      MD5

      e6c38a1b39ac8d369ef6fbac71f6c8ef

      SHA1

      ef7b642a79a1741170b3d95b1957bf3cf34c0cb9

      SHA256

      04714f9b6d42e410d569d698f05631eaf7af019c20fb905aeae1a8f4b9d941f8

      SHA512

      1ee5fd04adc2bb6ea6e7d57853af43dd13323e4eff2bf26e4cd51860e3e61201dd855c4aa5908401a5a9aecf9a8152a304a0a69150435e4a97bbe9e41df436bc

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{17B00821-EC9E-41DF-870F-0F17BBFDD9B1}.FSD

      Filesize

      128KB

      MD5

      fcf070e286c43041d517ac2f0b8f13b9

      SHA1

      5ad71a58f1ff0f2be5a689579d87322c73665633

      SHA256

      00440bc8158b6d8dda0a2eaf1c72882e700e67c87fb24276e6d812549924c118

      SHA512

      8c81c6fc4c5d15fd82b57abb9b0ee53925c84c340a466201b59d51521bc8d839d8f77c35b75db60b5f575e1a76230e604da2a4d87522cb4d6921928974123e15

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      532331efd2263a4721837dde469c8ca3

      SHA1

      2401ad56a583a31bae9f0ea7618a3fd4bfa30af1

      SHA256

      1f4f252267c99ea32903de2f8ac5a1445fc11fe1539561901f377557caafbe2a

      SHA512

      420b3b1b586fe346f6d36db4d50cae99b75a1df3cbd74aa11fc3693e093671c1c4079fccc5fcb2426e1d649aecd76334e145c848f5f6417d864f0407a4f9ea17

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      9de18d9d76e96a867fea52a95e8216cd

      SHA1

      a185a4d9e2a626ea087c6a7d93405e8176c039ca

      SHA256

      eb309399337e06071ccccc7e056933d62ad0932e0e2b9dc328a6a66011d53ccb

      SHA512

      7796d4a533a78351af3f2bd042d7b396863783a0c9d15382c882d9a46ca5e172c8eb6cea106b403df974c65708e70f40380f68f86fe435cfa1a0675690ebac78

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      3a178059a86f413186670b5c4b4f1dd5

      SHA1

      b80de803d08f11381dbf6a5f57925f5dd8fb48d4

      SHA256

      108463dbc0d2491c408011c6ddc3480afc879b59ce09351a1b1c89f0ed09abf0

      SHA512

      dd2bf0e21240af168d38d8f1ccaa8c549e5771403cd400f0b57eb895aa961b11644d9edb7f3ea38b30052119dfb4028ead4d23a45c52f28b101d0f4864202a6a

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E96DB038-497B-454D-BB09-CEB3945D9B5B}.FSD

      Filesize

      128KB

      MD5

      e09891b667bfa647fba3e0fed826e4b8

      SHA1

      c4642bc0d483f0ca2d6a88c415f40efca339aabb

      SHA256

      53c8fe0eb1a6baf548faed179e07643369553e2aa34e565fa40d1bc38854957d

      SHA512

      6b5e8bd3b2921d5e5adc93948635de94397e21e6de5a5b3ecd3f5afe4cee0322ae59cbefe4aa4c874c907ba31d0950dc072dfbd124c013499662ac17ade5910d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E96DB038-497B-454D-BB09-CEB3945D9B5B}.FSD

      Filesize

      128KB

      MD5

      c249dc9e7dc686eb55f2928ddeb1a6aa

      SHA1

      5ba0ce2d6a44fa4083533ae4ae3fdad676a188e2

      SHA256

      375c49800553d3163f3c9ce00dece0eda26c249189eef81866f338369553d50c

      SHA512

      2f6855c6b266db483140a3d77a8ac46e616821dd81ef98f84628b47132758812b4533fa072b072a998e73d7847a37df8a4b8b0c2f2df9c027960cc57373674c9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      e4b58a57f5f7ecf270bef74593165228

      SHA1

      4147a08ace3230924ecd82f001e6227046ddb110

      SHA256

      20fcb03667d58a944b43657c8d1f4039f41e91801920b43081fa6a8f682e229c

      SHA512

      12ef3160a59bac37d3545dd44194f28ed09fcb46fece0e529dcff6ccee16c31c1192a20c1ee3a539fcfde2706bb67957300e0d384f7b788912ab752fc99f9dad

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      33c44159838af0fceda181c60d0ea70f

      SHA1

      cdcd4bf4d2ea6cbbc21fd82873d91df5efb61e89

      SHA256

      40d7de4b12241a1f8a833b01bcd0ca59f86b328b1b5149609a001d819c2f5b6e

      SHA512

      27c30204887b567a8cfb878d135bc9999907e49b4984f76c390b94d7a63da5f6f7db7eae2d037bc064986875ff7506a60d1130096a70ad1a103bbe58bc256695

    • C:\Users\Admin\AppData\Local\Temp\{ED161B93-E504-4437-A940-AF9952110E1F}

      Filesize

      128KB

      MD5

      89714c3b96b3ae2c295cbb2d79ff2e06

      SHA1

      b7f0290d23f85d25638f1d57727e762e39ccf80a

      SHA256

      3208371291124d57077ac32dcb753e757908d78c71d4ec9692afaa58878afaa5

      SHA512

      5e9749793cdd2f091f4145481b96b7e083d83adec84c36447cde05fda6e56a270677ef0aff85673f722badb241ebdee4eecda38c88ca69c0d2dca72cb65284ef

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      3b64fd8b245370a5561e13ad875b7f13

      SHA1

      1d70e5704b86b2e179cb4576b2972d3d08f4a027

      SHA256

      7be467d3fc5dd7bb6967b730323ccaf90380ba57a76e7f7ed7986d2d8acaeaad

      SHA512

      d7ca91372aec05d530f2fb6fc762de14354d1ba04003c6aa2422a705865aaea77a0770d1879ed81213d409d63d815ec19096536d22e91deb1d1beab4d2986faf

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      4512afe06a89137f95a92182bf1be42d

      SHA1

      30c23e08bfde275368d283dd00a9d023a84b7eeb

      SHA256

      aa4185364166fd4a04715f8b947fd0f59115de59fb49e3e24f5df4fb1c9f50ac

      SHA512

      b3b5d5b2b19b12b0a8e3be8b152506db6fcbd7d3c067c55715c83d26335def4e9344b88e73f91d3afd547e3904e337de05f0d86d260f9fcb7d1a8ca4cd079776

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1640-574-0x000000000F9A0000-0x000000000FAA0000-memory.dmp

      Filesize

      1024KB

    • memory/1640-573-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/1640-0-0x000000002F551000-0x000000002F552000-memory.dmp

      Filesize

      4KB

    • memory/1640-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/1640-11-0x00000000711AD000-0x00000000711B8000-memory.dmp

      Filesize

      44KB

    • memory/1640-2-0x00000000711AD000-0x00000000711B8000-memory.dmp

      Filesize

      44KB

    • memory/1640-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1936-1017-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB