Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 13:06

General

  • Target

    161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc

  • Size

    204KB

  • MD5

    161c3c7e18e408720c114f8a876f35b0

  • SHA1

    f60f0bb2c7d54d1d224b4444386bdd1c88efc8be

  • SHA256

    d19079e9f888e919ad866cee089a400b123b995ac14a17c79d033365116bcff0

  • SHA512

    8a5e1ac7d137a2e836d44f59282d8b8d08667a3fc6aabf1bee21bf2753af8b60ccdb692b2add6f9d739fbf62fbb3bbe08b05a087754d010db7a4e3b12b399098

  • SSDEEP

    1536:wtPrT8wrLT0NeXxz1DweYHrTPqy45J8b1KzCy34yS5QqFf+lgvuNtymq:w2w3keXxz1Df0eGvKSeqxzCq

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2696
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:756
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      bc52a5493e2f626756a74d1b817e41c9

      SHA1

      e7e82e031b352bbf06323f994ff3bb688789d0e2

      SHA256

      83eea02a4dcab5061e3f1c02031ba325a2b251ce10534ca1281da39a935a884a

      SHA512

      cfa34a56006f909c89b61a3ebeea02f2a120e440038478054e978e60225e07ca409b42c3ffb75c33e2d8aef815da51493240aadcabcdff605084b118559bdd1e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{13A4E7E9-DDCB-4105-B037-9E49A2D134B3}.FSD

      Filesize

      128KB

      MD5

      34ab91dfc954753a4ce57e7fe516c7b6

      SHA1

      41e71881ede4732cbc4acc78ca736248878e3f63

      SHA256

      7f9b2cae72b0f8235b9f8cb5a2f1e721810978c969bf9a3c7d848e48818c0485

      SHA512

      0a7cb2cf16434fd60dd165800a6b6f1e24ac30a4808c501c400bf1808cf23de95736b772d4a7dac669177d301aa8c1e3798b3f00892730f6a7dea81e4447b552

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{13A4E7E9-DDCB-4105-B037-9E49A2D134B3}.FSD

      Filesize

      128KB

      MD5

      9537416ae9df256e693e2acab9f23870

      SHA1

      d44b163fe20daffbd16452d3d52fd78ebbed974f

      SHA256

      ed9025b7bbef59223bdda75f73c343b396fcdbdec6eb0ef85ce2990b80f8554c

      SHA512

      2f15d1c180ac3e130a27263fe8bae1232d63c20d0c046e7f306f508062686e61c6ab76dba1fc0d5c30e866051b40b8a34f37ae917e9ceceaaac2873b67ab56a6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      55e2d786c5691b9e6169c2963d14aec0

      SHA1

      4ccb6df758fdf024c9b5f9aac5a3fff2732e4964

      SHA256

      77f8bb1d91f8b9d18e29b8a81f288cf85a377df4bcf279ca1e9189f9eb096615

      SHA512

      0a108f34b424d8df7472d35bc49d466cf8ff3b66bbf8bac183bc16726cd0725a3284116977fdb45adce98f76fcb89c1348d4c72032968f0003d39d5e65740f36

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      1698c36d53042bbfef9feaf5392d91d6

      SHA1

      57ab556b0121efddf3146cff9ddfa91d6956fa08

      SHA256

      fd710814446faa59b072b23f301f62120dbd1dacd345eab49a13c72ba0559470

      SHA512

      f3a4c80ea0d8980f6b8230068560bff8546f4a46e613a3361d17259c3c79e25376f5859d7862dae147795ebac137f02aa8d2587c340cc24ebea1fe85bca46d10

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      66cefa3c1baa7aa3a80fb60f9ff41598

      SHA1

      c03fe6e368009a3fe395a5632635ae9ed5683095

      SHA256

      3041419ab3e8a4294e1eeb27c2aa974da7b57acef2e259d1a0f447199d5a05ad

      SHA512

      2f351863d11be038746c867df943c21f8acccad4c554006c7a324f2749ec25ecdb08d55b70a6c42af83352e20f4073806cc63d65b983e177d96d3980f2ac3170

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B3224AD0-0F9B-4F18-993C-09798545CA68}.FSD

      Filesize

      128KB

      MD5

      59744f55140dcbc1ff7e8d62928a45a0

      SHA1

      131251089592fa533e6aa33301539f3749815812

      SHA256

      2e1ab18f4266e1470151aed8defcfa742c4eb3d66b4f597ae62ef3043cfb7374

      SHA512

      b6e4de1b1ec94d19fd0754552457157a8bc661ea77381a812e57412a8d849f99b666443a8f1ff6e4278382cd51ea5cea82efa242b97303fa1b0283cbb875fc79

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B3224AD0-0F9B-4F18-993C-09798545CA68}.FSD

      Filesize

      128KB

      MD5

      b9d5fd77ae860ce58d6890698353a4b3

      SHA1

      deed6afe8439c73170845974649146ee7a53717e

      SHA256

      2978cb67115ed63ac15dcd3233bf08899b70dcad7db0070f6d2a8843d5fc6a59

      SHA512

      1020e2383113bf532cd68ea769826dce3d896dbbf7c6367a6fae4cd821be7c7ff9c9bd523cd78f307b7fceee01d678ad38cb8ce491e66f2d61cc499d5fb62b58

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      57491ab582082a9fdeab69d2413ebebd

      SHA1

      15d5f80be5b774a17b041c2a62e9dafccf697a1c

      SHA256

      baf56c54701550f8e129c8d07c9c3914571f595000f397c7c1dc36874d9dbc11

      SHA512

      e966c1de31a9bc5d7561f69ec4d278e3ec82f1e7ad47393b3bace01180d318ce3a3f9012b7b65207000ff61249af85f26c1ee3ac640d7c561296eaa377f19dff

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      4d58793f67321fa3d32570edf52e44eb

      SHA1

      3053085cfcb24055bfdf57532b6274dae2b2d995

      SHA256

      76235ba0daeec93414816cd35bb31e7e6eaceb00f97781408d49f4458afb926a

      SHA512

      3889f9e217419b081c0f08399049501c65ec6af4f8bd3c7ebd2bcbcb4fd1bd7f7676323415f2f07bfedfedd419ac6fb48d8e123b30ef95c2bd58bfbb42984b6b

    • C:\Users\Admin\AppData\Local\Temp\{24427E82-643A-46B3-B6FD-2F56A5437800}

      Filesize

      128KB

      MD5

      ba3e539c63a8b0a701ba1686014e6408

      SHA1

      a5578a17ed4c3959d7b83683375af3798b7c9bdb

      SHA256

      23af3c06959437167fc60ac1963806cf66339d6aa5fdaef57e812eedd1339644

      SHA512

      9f8b8dd6e5f5b51ff10cff84ca7676c3f769a78fcf64bac1da9fabd350d203d667f440c4fa3f5fb7168ca9dfccecb3a0f914f15bb93049640eaa720ed9ba8386

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      8a32411ab347d02d79aae6f1eb6ca62d

      SHA1

      e3cb4d003ee98cb74ecb0c5e33491e120d1ffbac

      SHA256

      2b728726fcf76fcd9259179c11149a0e53b3a72d369203215b34c151212259d5

      SHA512

      973c010176efa5d9cab085923996b5086e3777493eee8ba8ac5ccca721d2e004503a66398d0b48873be3a79e32c8fa47a6bf94578d5c35562be08a126cc53509

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      63245362dafdd1bca0071314a1ee8284

      SHA1

      afb3b4161c2c38982f327167ef8fb025c387ffc6

      SHA256

      d0cb9edebd90f11fe5491174e9cfb4d78f76ed57ae57e7eef3f3e056b3c5a5c7

      SHA512

      59ca99521e7abcdbf89bc5deb7cd072cc9faea52571b158903ccf86f6206dec55615648c0c27f8eff88d8248bbbfc5a8ed39cb7e19d35e35d699023c4af9d6ac

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1868-55-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-27-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-56-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-0-0x000000002F7C1000-0x000000002F7C2000-memory.dmp

      Filesize

      4KB

    • memory/1868-54-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-52-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-51-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-50-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-49-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-48-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-47-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-46-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-45-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-44-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-43-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-42-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-41-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-39-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-38-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-37-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-35-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-34-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-33-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-32-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-31-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-30-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-29-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-53-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-26-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-24-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-23-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-22-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-21-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-20-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-40-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-36-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-19-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-57-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-58-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-59-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-60-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-580-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-581-0x000000000DC70000-0x000000000DD70000-memory.dmp

      Filesize

      1024KB

    • memory/1868-68-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-76-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-1038-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-114-0x000000000DC70000-0x000000000DD70000-memory.dmp

      Filesize

      1024KB

    • memory/1868-85-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-61-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-28-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-25-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1868-11-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-2-0x000000007165D000-0x0000000071668000-memory.dmp

      Filesize

      44KB

    • memory/1868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB