Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 03:47
Behavioral task
behavioral1
Sample
1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc
-
Size
241KB
-
MD5
1491c287740240a8f4c6c717f9a319bb
-
SHA1
2fed98cdbebd6e633294eab55cad490b8bf61576
-
SHA256
19705f9fc9d4926d05ae5d51e9b92701224de3c8aa0613658e2b2e110ca275d1
-
SHA512
e0262611b67e03f92be519f63748fef3c823e901952ef5020a9efaa780ee033ee0ad85429fe7b0c7c8ac7fcdb47fd1d9c46ab5c858e15e331e8fb70a09f63f64
-
SSDEEP
1536:RterTkw9HnXPJguq73/IKB5Kby0g5hHrTPzyaK/dRYdP+C14BqGxIX9Dc9n:Rvw9HXPJguq73/IKBWyFidSIC1U3WRcN
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 3 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?Gvzxn7WzykhD5cZnXilGVHv7ohdAuSAO:kB456088 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?Gvzxn7WzykhD5cZnXilGVHv7ohdAuSAO:kB456088 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{80C36BF0-A11C-4F3E-9A15-58A264AA140C}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80C36BF0-A11C-4F3E-9A15-58A264AA140C}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1640 WINWORD.EXE 636 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeShutdownPrivilege 1936 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 1640 WINWORD.EXE 1640 WINWORD.EXE 1936 EXCEL.EXE 1936 EXCEL.EXE 1936 EXCEL.EXE 636 WINWORD.EXE 636 WINWORD.EXE 280 EXCEL.EXE 280 EXCEL.EXE 280 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1640 wrote to memory of 2644 1640 WINWORD.EXE splwow64.exe PID 1640 wrote to memory of 2644 1640 WINWORD.EXE splwow64.exe PID 1640 wrote to memory of 2644 1640 WINWORD.EXE splwow64.exe PID 1640 wrote to memory of 2644 1640 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1491c287740240a8f4c6c717f9a319bb_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2644
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1936
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:636
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5b0c7a529acacc59aacdbc5fd5598834c
SHA1627931057293bc2be8f658bb45d6ed389dbbd784
SHA256a433a65bc4bbad814dae8478c81e16f2fdd4d9864fe396abc0fa802e6654c376
SHA5123a8c8f8898336792fe3ba6324da87476c95b7b6e6012f08c38a3ceda07b43fd7d6c3e37360eb5e061dd59fc72ebc3d8df8606522f34dafd5319958e854838dc1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{17B00821-EC9E-41DF-870F-0F17BBFDD9B1}.FSD
Filesize128KB
MD5e6c38a1b39ac8d369ef6fbac71f6c8ef
SHA1ef7b642a79a1741170b3d95b1957bf3cf34c0cb9
SHA25604714f9b6d42e410d569d698f05631eaf7af019c20fb905aeae1a8f4b9d941f8
SHA5121ee5fd04adc2bb6ea6e7d57853af43dd13323e4eff2bf26e4cd51860e3e61201dd855c4aa5908401a5a9aecf9a8152a304a0a69150435e4a97bbe9e41df436bc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{17B00821-EC9E-41DF-870F-0F17BBFDD9B1}.FSD
Filesize128KB
MD5fcf070e286c43041d517ac2f0b8f13b9
SHA15ad71a58f1ff0f2be5a689579d87322c73665633
SHA25600440bc8158b6d8dda0a2eaf1c72882e700e67c87fb24276e6d812549924c118
SHA5128c81c6fc4c5d15fd82b57abb9b0ee53925c84c340a466201b59d51521bc8d839d8f77c35b75db60b5f575e1a76230e604da2a4d87522cb4d6921928974123e15
-
Filesize
114B
MD5532331efd2263a4721837dde469c8ca3
SHA12401ad56a583a31bae9f0ea7618a3fd4bfa30af1
SHA2561f4f252267c99ea32903de2f8ac5a1445fc11fe1539561901f377557caafbe2a
SHA512420b3b1b586fe346f6d36db4d50cae99b75a1df3cbd74aa11fc3693e093671c1c4079fccc5fcb2426e1d649aecd76334e145c848f5f6417d864f0407a4f9ea17
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD59de18d9d76e96a867fea52a95e8216cd
SHA1a185a4d9e2a626ea087c6a7d93405e8176c039ca
SHA256eb309399337e06071ccccc7e056933d62ad0932e0e2b9dc328a6a66011d53ccb
SHA5127796d4a533a78351af3f2bd042d7b396863783a0c9d15382c882d9a46ca5e172c8eb6cea106b403df974c65708e70f40380f68f86fe435cfa1a0675690ebac78
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD53a178059a86f413186670b5c4b4f1dd5
SHA1b80de803d08f11381dbf6a5f57925f5dd8fb48d4
SHA256108463dbc0d2491c408011c6ddc3480afc879b59ce09351a1b1c89f0ed09abf0
SHA512dd2bf0e21240af168d38d8f1ccaa8c549e5771403cd400f0b57eb895aa961b11644d9edb7f3ea38b30052119dfb4028ead4d23a45c52f28b101d0f4864202a6a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E96DB038-497B-454D-BB09-CEB3945D9B5B}.FSD
Filesize128KB
MD5e09891b667bfa647fba3e0fed826e4b8
SHA1c4642bc0d483f0ca2d6a88c415f40efca339aabb
SHA25653c8fe0eb1a6baf548faed179e07643369553e2aa34e565fa40d1bc38854957d
SHA5126b5e8bd3b2921d5e5adc93948635de94397e21e6de5a5b3ecd3f5afe4cee0322ae59cbefe4aa4c874c907ba31d0950dc072dfbd124c013499662ac17ade5910d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E96DB038-497B-454D-BB09-CEB3945D9B5B}.FSD
Filesize128KB
MD5c249dc9e7dc686eb55f2928ddeb1a6aa
SHA15ba0ce2d6a44fa4083533ae4ae3fdad676a188e2
SHA256375c49800553d3163f3c9ce00dece0eda26c249189eef81866f338369553d50c
SHA5122f6855c6b266db483140a3d77a8ac46e616821dd81ef98f84628b47132758812b4533fa072b072a998e73d7847a37df8a4b8b0c2f2df9c027960cc57373674c9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD5e4b58a57f5f7ecf270bef74593165228
SHA14147a08ace3230924ecd82f001e6227046ddb110
SHA25620fcb03667d58a944b43657c8d1f4039f41e91801920b43081fa6a8f682e229c
SHA51212ef3160a59bac37d3545dd44194f28ed09fcb46fece0e529dcff6ccee16c31c1192a20c1ee3a539fcfde2706bb67957300e0d384f7b788912ab752fc99f9dad
-
Filesize
143KB
MD533c44159838af0fceda181c60d0ea70f
SHA1cdcd4bf4d2ea6cbbc21fd82873d91df5efb61e89
SHA25640d7de4b12241a1f8a833b01bcd0ca59f86b328b1b5149609a001d819c2f5b6e
SHA51227c30204887b567a8cfb878d135bc9999907e49b4984f76c390b94d7a63da5f6f7db7eae2d037bc064986875ff7506a60d1130096a70ad1a103bbe58bc256695
-
Filesize
128KB
MD589714c3b96b3ae2c295cbb2d79ff2e06
SHA1b7f0290d23f85d25638f1d57727e762e39ccf80a
SHA2563208371291124d57077ac32dcb753e757908d78c71d4ec9692afaa58878afaa5
SHA5125e9749793cdd2f091f4145481b96b7e083d83adec84c36447cde05fda6e56a270677ef0aff85673f722badb241ebdee4eecda38c88ca69c0d2dca72cb65284ef
-
Filesize
36KB
MD53b64fd8b245370a5561e13ad875b7f13
SHA11d70e5704b86b2e179cb4576b2972d3d08f4a027
SHA2567be467d3fc5dd7bb6967b730323ccaf90380ba57a76e7f7ed7986d2d8acaeaad
SHA512d7ca91372aec05d530f2fb6fc762de14354d1ba04003c6aa2422a705865aaea77a0770d1879ed81213d409d63d815ec19096536d22e91deb1d1beab4d2986faf
-
Filesize
20KB
MD54512afe06a89137f95a92182bf1be42d
SHA130c23e08bfde275368d283dd00a9d023a84b7eeb
SHA256aa4185364166fd4a04715f8b947fd0f59115de59fb49e3e24f5df4fb1c9f50ac
SHA512b3b5d5b2b19b12b0a8e3be8b152506db6fcbd7d3c067c55715c83d26335def4e9344b88e73f91d3afd547e3904e337de05f0d86d260f9fcb7d1a8ca4cd079776
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84