Malware Analysis Report

2024-10-16 02:53

Sample ID 240627-qcaltssfqa
Target 161c3c7e18e408720c114f8a876f35b0_JaffaCakes118
SHA256 d19079e9f888e919ad866cee089a400b123b995ac14a17c79d033365116bcff0
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d19079e9f888e919ad866cee089a400b123b995ac14a17c79d033365116bcff0

Threat Level: Likely malicious

The file 161c3c7e18e408720c114f8a876f35b0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 13:06

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 13:06

Reported

2024-06-27 13:08

Platform

win7-20240508-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?0TCS_2m925809.161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?0TCS_2m925809.161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{C6AE5C46-D4E6-4919-8AC4-04F2E141B3FB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6AE5C46-D4E6-4919-8AC4-04F2E141B3FB}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6AE5C46-D4E6-4919-8AC4-04F2E141B3FB}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{C6AE5C46-D4E6-4919-8AC4-04F2E141B3FB}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/1868-0-0x000000002F7C1000-0x000000002F7C2000-memory.dmp

memory/1868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1868-2-0x000000007165D000-0x0000000071668000-memory.dmp

memory/1868-11-0x000000007165D000-0x0000000071668000-memory.dmp

memory/1868-25-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-28-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-61-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-85-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-114-0x000000000DC70000-0x000000000DD70000-memory.dmp

memory/1868-76-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-68-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-60-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-59-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-58-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-57-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-53-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-56-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-55-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-54-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-52-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-51-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-50-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-49-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-48-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-47-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-46-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-45-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-44-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-43-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-42-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-41-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-39-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-38-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-37-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-35-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-34-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-33-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-32-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-31-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-30-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-29-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-27-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-26-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-24-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-23-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-22-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-21-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-20-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-40-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-36-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-19-0x00000000003E0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{24427E82-643A-46B3-B6FD-2F56A5437800}

MD5 ba3e539c63a8b0a701ba1686014e6408
SHA1 a5578a17ed4c3959d7b83683375af3798b7c9bdb
SHA256 23af3c06959437167fc60ac1963806cf66339d6aa5fdaef57e812eedd1339644
SHA512 9f8b8dd6e5f5b51ff10cff84ca7676c3f769a78fcf64bac1da9fabd350d203d667f440c4fa3f5fb7168ca9dfccecb3a0f914f15bb93049640eaa720ed9ba8386

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{13A4E7E9-DDCB-4105-B037-9E49A2D134B3}.FSD

MD5 9537416ae9df256e693e2acab9f23870
SHA1 d44b163fe20daffbd16452d3d52fd78ebbed974f
SHA256 ed9025b7bbef59223bdda75f73c343b396fcdbdec6eb0ef85ce2990b80f8554c
SHA512 2f15d1c180ac3e130a27263fe8bae1232d63c20d0c046e7f306f508062686e61c6ab76dba1fc0d5c30e866051b40b8a34f37ae917e9ceceaaac2873b67ab56a6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 66cefa3c1baa7aa3a80fb60f9ff41598
SHA1 c03fe6e368009a3fe395a5632635ae9ed5683095
SHA256 3041419ab3e8a4294e1eeb27c2aa974da7b57acef2e259d1a0f447199d5a05ad
SHA512 2f351863d11be038746c867df943c21f8acccad4c554006c7a324f2749ec25ecdb08d55b70a6c42af83352e20f4073806cc63d65b983e177d96d3980f2ac3170

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B3224AD0-0F9B-4F18-993C-09798545CA68}.FSD

MD5 b9d5fd77ae860ce58d6890698353a4b3
SHA1 deed6afe8439c73170845974649146ee7a53717e
SHA256 2978cb67115ed63ac15dcd3233bf08899b70dcad7db0070f6d2a8843d5fc6a59
SHA512 1020e2383113bf532cd68ea769826dce3d896dbbf7c6367a6fae4cd821be7c7ff9c9bd523cd78f307b7fceee01d678ad38cb8ce491e66f2d61cc499d5fb62b58

memory/1868-580-0x00000000003E0000-0x00000000004E0000-memory.dmp

memory/1868-581-0x000000000DC70000-0x000000000DD70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 8a32411ab347d02d79aae6f1eb6ca62d
SHA1 e3cb4d003ee98cb74ecb0c5e33491e120d1ffbac
SHA256 2b728726fcf76fcd9259179c11149a0e53b3a72d369203215b34c151212259d5
SHA512 973c010176efa5d9cab085923996b5086e3777493eee8ba8ac5ccca721d2e004503a66398d0b48873be3a79e32c8fa47a6bf94578d5c35562be08a126cc53509

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 63245362dafdd1bca0071314a1ee8284
SHA1 afb3b4161c2c38982f327167ef8fb025c387ffc6
SHA256 d0cb9edebd90f11fe5491174e9cfb4d78f76ed57ae57e7eef3f3e056b3c5a5c7
SHA512 59ca99521e7abcdbf89bc5deb7cd072cc9faea52571b158903ccf86f6206dec55615648c0c27f8eff88d8248bbbfc5a8ed39cb7e19d35e35d699023c4af9d6ac

memory/1868-1038-0x00000000003E0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 4d58793f67321fa3d32570edf52e44eb
SHA1 3053085cfcb24055bfdf57532b6274dae2b2d995
SHA256 76235ba0daeec93414816cd35bb31e7e6eaceb00f97781408d49f4458afb926a
SHA512 3889f9e217419b081c0f08399049501c65ec6af4f8bd3c7ebd2bcbcb4fd1bd7f7676323415f2f07bfedfedd419ac6fb48d8e123b30ef95c2bd58bfbb42984b6b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{13A4E7E9-DDCB-4105-B037-9E49A2D134B3}.FSD

MD5 34ab91dfc954753a4ce57e7fe516c7b6
SHA1 41e71881ede4732cbc4acc78ca736248878e3f63
SHA256 7f9b2cae72b0f8235b9f8cb5a2f1e721810978c969bf9a3c7d848e48818c0485
SHA512 0a7cb2cf16434fd60dd165800a6b6f1e24ac30a4808c501c400bf1808cf23de95736b772d4a7dac669177d301aa8c1e3798b3f00892730f6a7dea81e4447b552

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 55e2d786c5691b9e6169c2963d14aec0
SHA1 4ccb6df758fdf024c9b5f9aac5a3fff2732e4964
SHA256 77f8bb1d91f8b9d18e29b8a81f288cf85a377df4bcf279ca1e9189f9eb096615
SHA512 0a108f34b424d8df7472d35bc49d466cf8ff3b66bbf8bac183bc16726cd0725a3284116977fdb45adce98f76fcb89c1348d4c72032968f0003d39d5e65740f36

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 bc52a5493e2f626756a74d1b817e41c9
SHA1 e7e82e031b352bbf06323f994ff3bb688789d0e2
SHA256 83eea02a4dcab5061e3f1c02031ba325a2b251ce10534ca1281da39a935a884a
SHA512 cfa34a56006f909c89b61a3ebeea02f2a120e440038478054e978e60225e07ca409b42c3ffb75c33e2d8aef815da51493240aadcabcdff605084b118559bdd1e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 1698c36d53042bbfef9feaf5392d91d6
SHA1 57ab556b0121efddf3146cff9ddfa91d6956fa08
SHA256 fd710814446faa59b072b23f301f62120dbd1dacd345eab49a13c72ba0559470
SHA512 f3a4c80ea0d8980f6b8230068560bff8546f4a46e613a3361d17259c3c79e25376f5859d7862dae147795ebac137f02aa8d2587c340cc24ebea1fe85bca46d10

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 57491ab582082a9fdeab69d2413ebebd
SHA1 15d5f80be5b774a17b041c2a62e9dafccf697a1c
SHA256 baf56c54701550f8e129c8d07c9c3914571f595000f397c7c1dc36874d9dbc11
SHA512 e966c1de31a9bc5d7561f69ec4d278e3ec82f1e7ad47393b3bace01180d318ce3a3f9012b7b65207000ff61249af85f26c1ee3ac640d7c561296eaa377f19dff

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B3224AD0-0F9B-4F18-993C-09798545CA68}.FSD

MD5 59744f55140dcbc1ff7e8d62928a45a0
SHA1 131251089592fa533e6aa33301539f3749815812
SHA256 2e1ab18f4266e1470151aed8defcfa742c4eb3d66b4f597ae62ef3043cfb7374
SHA512 b6e4de1b1ec94d19fd0754552457157a8bc661ea77381a812e57412a8d849f99b666443a8f1ff6e4278382cd51ea5cea82efa242b97303fa1b0283cbb875fc79

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 13:06

Reported

2024-06-27 13:08

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 41.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/692-0-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-2-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-3-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-4-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-1-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-5-0x00007FFA7FCAD000-0x00007FFA7FCAE000-memory.dmp

memory/692-6-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-9-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-8-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-7-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-11-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-12-0x00007FFA3D390000-0x00007FFA3D3A0000-memory.dmp

memory/692-10-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-14-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-17-0x00007FFA3D390000-0x00007FFA3D3A0000-memory.dmp

memory/692-16-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-15-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-19-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-18-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-13-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD7FFA.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/692-510-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

memory/692-565-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58978085-5D30-4BDD-8D18-9700F1D50030

MD5 f02287a21c9e5f9735aa485ff15b2b04
SHA1 800304ed261c04df3419e9dd6a8986f954112343
SHA256 b98677598d5999ccba3e08f988524770aefa57ac10f5fcfb7b76f463d4c0198e
SHA512 cc2f716b6938d3eb0fc7e67fd8bda5773f138e3787978be324981242bce9b42192761d95694dd24cb4dbf91f94553ac07db71dd2912312f36e29084166ad190d

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 7ef464794eec95e2ee298e09ae76baa6
SHA1 7a8e2ae4c904384607d8b72a40c6a17332f24e03
SHA256 c5f36f07e38477f85782406b92cf46c4d3aeddb935f1190435cfe8598f8af9d1
SHA512 7dbf75728bb3b022a2ac0847a5686d6002fd064415c82d301f4f14d7addeae3a70083cdd59a7779bb16b5077033fb67bce1f9e5d99738450c2c598d0b8de1603

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 9ffde8da8686265649463bc1abcf7648
SHA1 d7b9c0e717796bf96ba19c78f9d39528ecd12099
SHA256 70bed912af6ee8482d131af41dfbb33d0d1bc2a1bf953435394dcd08bff099e7
SHA512 cdd70894e891b842078a6eafc3cb76b69359c7808a1e42d9d9d1e5af9a06b541a54f74ff98e53c25c585ab3db464ee67a8b23d40e9df372753125cffb506d39d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 9b459a397e65ac70bfa935c477ed4321
SHA1 d3126ceaa6af728b087c0b9f47a9cb36bfe23a2f
SHA256 f3ef3610f8642a2527c8d5b1872378c5e2a0b67fd2be86f1104edece47af6435
SHA512 44ea0cdcbe3a4e5bd62a03e2c1ebeb77cceece62486ec7c2ab68a772accee48201ea8766e84098d25143595442c327d1ae646166c615227fff0962ad8856e0af

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 3f8b914bbbdf88af206554cacd078515
SHA1 33fa74f1935a4fef4bd12e02ed64db79606dd266
SHA256 38791c15886ca0ed2fa587511a1149f75e51a8048ee1a70d4190468a87e69228
SHA512 9e83aae616eabadd9f9be4c5edc55113d66feed2c3d4b2a868ca5ed38cf56cfdab2611195c54aa55f2824541265126ae79ae94ddb5c86633b79b8af479a35024

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 f6e830ee1c3c5f177f2d3f712bc5e9f6
SHA1 d4cf51f05722bcb3a3816d69e8384315f6a01089
SHA256 9f63ed19679cc7d567940f9e7351a0fd920920c2bda0216a04ea0b6a2617ab41
SHA512 e5c45301af20256e8feea772fec8e070f561a33196d9f471a26eea4c78422b0bdb421e720817d67408903a0ec3aacd39b0a2c969dd2e41a5dd55fe28a3b2e0c6

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 6a8384bb7f672d5333456694a10179de
SHA1 1bc442448adfa4c00b4147749ce9890b2d9cf25f
SHA256 959d3055a59fa341899d0db75adcc85eb1acb64e624488f3b8a83abc4babb588
SHA512 4b8d40b4249b082f338af7f73ffa67a35a221e412e27cf00581d2b87913447cb69f94245c7f202fa0eb07fd4510ceef4d46390ac356f01060cc183c3aaf80340

memory/4420-2116-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/4420-2115-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/4420-2114-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/4420-2113-0x00007FFA3FC90000-0x00007FFA3FCA0000-memory.dmp

memory/692-2419-0x00007FFA7FC10000-0x00007FFA7FE05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ad16c4fe3416ea9db31dc0e8e1f61075
SHA1 875a15e98223c377b49e4bd6f761eff730ae3773
SHA256 f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512 d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ea81a37a9704ad26c447b8cb0795bffd
SHA1 8568da4210339076c16acf3f3da0ee91f4f20af0
SHA256 e2ff85e50f630895b5e320ea969c972d4d04c3c8591d7e5a4d074b9d0a775f38
SHA512 1d1625982371bd5b6db59ba904337dad22a116a937a9580a96f4b2a26d1762b0ad6b89743f3c49f6d2445ff4dda8714e2b095aee472f4d17b25fbfe140155c84

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da