Analysis

  • max time kernel
    130s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 15:55

General

  • Target

    169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc

  • Size

    204KB

  • MD5

    169b39fccbbc5cfa145e0c430f455609

  • SHA1

    2e99f48e1d5d375c824daede50b1c4b993f5a5fb

  • SHA256

    955b510462e4733b2edb7ccb6ad15fb8e2f5590dcd9e691a519631b63b5fe48c

  • SHA512

    a5101d7c4632a6e9a967bd32c5d7339a1cfdda8ae6d5165f1d2aa38ad34ed5b2701605074459bee44f2d288aef85fd470a737ddc6b226e787b9eb8fd361602a5

  • SSDEEP

    1536:gxK/jtPrT8wrLT0NeXxz1DwerHrTPXyZ5J8br1cgSe02gNt2r2XwvkwpYu:v2w3keXxz1DffYwcgjrvP

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2688
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1696
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1716
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      69d6aa4d391b9c8db29d150becb29422

      SHA1

      c3de9f8fc793b26e4ca914d191738325628cdded

      SHA256

      090c9797755b93e751397b227fa0b9a39ec90bfad31314e72b01f8c9202c50ba

      SHA512

      aa5b25afe3279b0a2e48250670e27e27479a6aa9d95ddfc95afb3a26daa8c6e69d23c64bf18fc1eb34fc14b2ce0d08b7cfefcd86b5627798b7f08baabf0a992b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C984DAAB-2E9A-4A0D-82A5-C916EE0736BC}.FSD

      Filesize

      128KB

      MD5

      52602208b869957c24f8623ae7fe5769

      SHA1

      fde8a2f6d7dbaf6cd7c88913b7103c0fadb5395c

      SHA256

      b218e6be2a7636ea6424b0f3e8fa08d494c007871c444ec1f6844fe287cadaf3

      SHA512

      626c8aa2a65d9d54c97b85cfa9e0f1101faeb84acdf4a5de55052f9c39c1d3a58c5d8ade25dd2971059837c4cd169f3409217b7acaf65edb93d985f292f051cb

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C984DAAB-2E9A-4A0D-82A5-C916EE0736BC}.FSD

      Filesize

      128KB

      MD5

      81a2a0063c90cd1ca9e1276bc301c78f

      SHA1

      b6b83e40d3e1b5552e487e6de038483ddc35019d

      SHA256

      dc9c42d77dba6e9cc3413cc347795d2c5b1f4593b1487595a421d6b806271bcd

      SHA512

      ddf811076a9e062893f8d131f7a4488597cb95440469bbc6880a0ca1ad9ba8e06a4cde2225bb86fd5ca466f232513fdcc887c70ed57ff3b85ff0d974e2fb4232

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      4a0ba36438ecb944d6878912b875dafb

      SHA1

      8118de98d6634f8a350d9ea2927d60228d78b500

      SHA256

      87226d6483251667ce8301f3879b9abbfacdd3317e646866e94b7449adbdc7dc

      SHA512

      7a0bb286f76f54d7d0e42226c62cdcb9ac5dcda5257ff981aac1344d2f423daafde0a04657a7d839f5b34079f3e47c0ef3fbfc492fc32066d4d4c973126eee61

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      2ae723f9aa63ed7529a2130784eab28c

      SHA1

      c84d8034bbd7e99a368e351b80f8e2c66776a664

      SHA256

      86efa0659c2e6d1d836c863b598192317bf69d0d17b2e32b1f093170dfb27c9b

      SHA512

      596578baac57e4684e49e117af928386a5069cf72bc52a34d864179612a228d9dfd0544ff28fd538b681f33ecaafb865f982166b915d38296e58b7e8135442d9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      ab0b36e1ea93c2e1fbdb5097b0eb0989

      SHA1

      499ca4857c86c79913a1db7f3ad8d3db91e07a4f

      SHA256

      6fc393d332bdd428e7d81eaa6ce8dcbdf2149c7beb3d6b06085ac1eb2e906d00

      SHA512

      a588464442ed13cfafe2392849b33f6466e1323fbabc787420d9d0c7c88aadec500368eec5db33222c78dbf78230e5435db45e5ce46a84c95afaa798ed60265b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9B8A38E3-41E2-4E00-9301-7C6C5D5677C8}.FSD

      Filesize

      128KB

      MD5

      2f9097171b30a8b5ff5aa5762240e94d

      SHA1

      0dbf0ef18d8786c04cd8343eb8383fa9507175c6

      SHA256

      0d0c4f7ecff95b3052274a0bc4ca49388db8a38a422a59657c461feda7bd025d

      SHA512

      b1bfe7a28145d27a18fa6aabedc4f449d1f25b58d60e6f1c962e8748367515aaeb09228d17d3936bf2a552ecae049a0f5ed39ab9fb9404e92c5944910328681c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9B8A38E3-41E2-4E00-9301-7C6C5D5677C8}.FSD

      Filesize

      128KB

      MD5

      bb5bd0b3fc24adeea1e84c2506f3e6b0

      SHA1

      c8b7d70acdf97b4570799768fa8172909fff2455

      SHA256

      2fe66ccac3209b23d8d3ceffd331bb99c0409f30279908f9e1545311241f33a1

      SHA512

      0fbc23c873d4d7a7ec68841b30c1fb699c9d6a51c9668349075d8ef23d3de6d06503ca948a32b5383ff3133a4b2356ee26d8d41c22ad6d8764e44a53d5ba54fa

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      32bec273a140315fff0d38ba2c726556

      SHA1

      bf36554b7a53f76849ed3baf622e0c5d6cbb5997

      SHA256

      939324caf6185fc919a06342f9d92aea8e5a44a44b2807ebce6b8a546ebe453a

      SHA512

      f46d593e5b50eacade5f095d85bbf7ff2ae35dc8e0b449ee14a98aad7d9682af8e0ae2761c2e4e8b4a5e24735c4b48fd0efb03e30fbbbce69acfbaf56d6ffd70

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      c076078327530b924707a70fdb1266f6

      SHA1

      fadbd12050c725a803452c5359d9983eae008cbb

      SHA256

      28a6517d7357fa37e8d427c710b063b110386e98cb76bb0350b2ed64a3d36b14

      SHA512

      833217ae051b21decaab99242674f325753ef36ffb71934c4fbc5289f2a2676db6f47700f6637a033295614105d5731dda1c81f6892cb93459bbdf72ff8f2fdf

    • C:\Users\Admin\AppData\Local\Temp\{A2C5AED5-40C8-41B1-A192-7B29582CD0A4}

      Filesize

      128KB

      MD5

      88697f65777b1b619b8bc22eb3ea42c4

      SHA1

      984156a8bca223b36c1b4739147be8c6289d4eb1

      SHA256

      9358dbf2dc56593116caae69c31244357d788409b3db649eb1a737762ee2dd78

      SHA512

      226487e3fa9d1e19837683b7bf75562b47b1e4730ebad9aa8a2faecba67111eace3410451515d90f68f30d075f8ff478ce96f6135982961617ffa87fc4321fd9

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      f9d8534fa390422e517b2d4eb5cf3d4b

      SHA1

      d4d45974ad59c17370e4eaa3cdc976b913cc9400

      SHA256

      dc0d49ecc67666ca1602cbdb213e2e57c6f0c80608f488ab50a12fe298121817

      SHA512

      9268cfe6e115027fae4a6629948df10b329f399411f94d7a694c09a461faf143c1b330f0da9159fe37095c34fe15e0a9918e9e70eaae152ff2cfe6e5c9e43e88

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      55B

      MD5

      b04fd3884038b13390e7a065db5af8e8

      SHA1

      77766abc66b4466c2bbbf7c95ffce8e88888cb2a

      SHA256

      dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650

      SHA512

      a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      1c3db50e22d52e779d29471443cd267c

      SHA1

      18e77b8a5ef418df83d4bfe6e1a9018171cb7809

      SHA256

      fbc879525ca308c96dc1f6681c13d7cb5a97ccde4567ece839cffc902dbe6564

      SHA512

      9559e0b5d11500667b3f677dc1a19fcc3b093e5b14bceea27e89d10f27c5747fa63d0fea165d96c84fd8516a4039f8b2f1371fdef1b2986980771e5f2fdb9ff7

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2244-109-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-107-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-103-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-101-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-100-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-99-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-98-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-97-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-96-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-95-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-86-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-77-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-94-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-105-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-106-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-104-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-108-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-0-0x000000002FE21000-0x000000002FE22000-memory.dmp

      Filesize

      4KB

    • memory/2244-110-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-1036-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-114-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-128-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-102-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-63-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-62-0x000000000DBE0000-0x000000000DCE0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-61-0x00000000003D0000-0x00000000004D0000-memory.dmp

      Filesize

      1024KB

    • memory/2244-11-0x0000000070C6D000-0x0000000070C78000-memory.dmp

      Filesize

      44KB

    • memory/2244-2-0x0000000070C6D000-0x0000000070C78000-memory.dmp

      Filesize

      44KB

    • memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB