Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 04:40

General

  • Target

    14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    14b6e358fa83990ded4e40dea72748ac

  • SHA1

    7279cc1d21130efd443a0b4e5b12f65b1ee3d69f

  • SHA256

    740e3991a1d9178a251a1f0fa3733182207382cc077818cfe1db2302849b9ff9

  • SHA512

    8cb5eeb514497a783d88c1d5bd011ece7e12073cebd8eaef7eeb35db96deedced08985e5e92fdd50c6fd06e7b5ecd33d5c16ecf248b338dbfd414052fb39f9e1

  • SSDEEP

    3072:Svw9HXPJguq73/IKBWySSdSAG4AaODz4wfyAVZ:SvKHXPJi73wAHUAG4if4KyAVZ

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2700
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{810692FE-CAD0-49A3-8DC2-3968AC4552B0}.FSD

      Filesize

      128KB

      MD5

      8c08c115893737552b7180488dc0c7df

      SHA1

      fd7193d1384699dde1bb03f5ee805fdaae8a7c40

      SHA256

      6c1fce57ae79b4f7123f112b8a3d23a871c508d73699b8fb9b68d17da8fb2fdb

      SHA512

      c87cefcbb3af63c3d310a08ff34bed74a542acab9cc6013c7bdb7f2ce70f9c3e12b0122ccb2bdf2da1650c429b230f38a5326b036f46e51399f6dff35a1d9513

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      720fb7bd884f9c7082450cab024d4a7d

      SHA1

      b2e91e8d7d9317d84334db4d2f3ef3af743c8c90

      SHA256

      1c6afac27b797199d4ce23c2f428d3897f17ad70c8bc1cad797a6bc1195f09a7

      SHA512

      43f5cd1e4189f03943ccd7b9c54d9cf8952bb85b48d0f9a2c6cc7c2b856a7d80cecd23dcee3824de7032195afcfee287e71c1b60aaf98ffed0b39ec37e396862

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B84EA413-89DA-4869-82A4-9884C1D829DC}.FSD

      Filesize

      128KB

      MD5

      79dc496b1e1e9bf0857b0c706c6e7280

      SHA1

      619644ea6c840b5695fa4b34bb2131e3dde96445

      SHA256

      23b7750b62212872b7d862851c3a5117be205a08fb441c6eb689db1ecd483a33

      SHA512

      5776e0c9760afd15859a1d65d6f5bcc30b1f0697e45aa046d9363f9f868a9ca883a442224de2f9bd0c0b74f80a3074f56fd4eab9c8be3a80a962ebff2f1bd1fd

    • C:\Users\Admin\AppData\Local\Temp\{C82927CF-DF57-4EE5-BCD9-CB98026B1DC3}

      Filesize

      128KB

      MD5

      3862d5c595c61bfca16aa410f4320cac

      SHA1

      15de2ea7c87eaa22251e4806bf1e3d657709259d

      SHA256

      5e48357281675cbba5f11b78cbe5f5d0d0a3c8264fa8ddc427b5dfbbd16891d2

      SHA512

      73e6dafa1fdc98956d62f8727fe54ce18a8999ce6e06c2cfa448ef51390996d67c2e52b7ce449bb5aec80a82800ac4129d1d46d6c0ed424c5017823ee74bf0d2

    • memory/2120-0-0x000000002FA21000-0x000000002FA22000-memory.dmp

      Filesize

      4KB

    • memory/2120-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2120-2-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

    • memory/2120-11-0x000000007141D000-0x0000000071428000-memory.dmp

      Filesize

      44KB

    • memory/2120-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2120-516-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2120-517-0x000000000FFA0000-0x00000000100A0000-memory.dmp

      Filesize

      1024KB