Malware Analysis Report

2024-10-16 02:53

Sample ID 240627-tc9byaydqb
Target 169b39fccbbc5cfa145e0c430f455609_JaffaCakes118
SHA256 955b510462e4733b2edb7ccb6ad15fb8e2f5590dcd9e691a519631b63b5fe48c
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

955b510462e4733b2edb7ccb6ad15fb8e2f5590dcd9e691a519631b63b5fe48c

Threat Level: Likely malicious

The file 169b39fccbbc5cfa145e0c430f455609_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 15:55

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 15:55

Reported

2024-06-27 15:58

Platform

win7-20231129-en

Max time kernel

130s

Max time network

130s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?KsOf_6O255664.169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?KsOf_6O255664.169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BB53B17-73D5-4882-A1D4-E017DF3856D2} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\TypeLib\{5BB53B17-73D5-4882-A1D4-E017DF3856D2}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2244-0-0x000000002FE21000-0x000000002FE22000-memory.dmp

memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2244-2-0x0000000070C6D000-0x0000000070C78000-memory.dmp

memory/2244-11-0x0000000070C6D000-0x0000000070C78000-memory.dmp

memory/2244-61-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-62-0x000000000DBE0000-0x000000000DCE0000-memory.dmp

memory/2244-63-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-102-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-128-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-114-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-110-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-109-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-108-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-107-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-106-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-105-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-104-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-103-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-101-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-100-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-99-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-98-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-97-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-96-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-95-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-86-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-77-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/2244-94-0x00000000003D0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{A2C5AED5-40C8-41B1-A192-7B29582CD0A4}

MD5 88697f65777b1b619b8bc22eb3ea42c4
SHA1 984156a8bca223b36c1b4739147be8c6289d4eb1
SHA256 9358dbf2dc56593116caae69c31244357d788409b3db649eb1a737762ee2dd78
SHA512 226487e3fa9d1e19837683b7bf75562b47b1e4730ebad9aa8a2faecba67111eace3410451515d90f68f30d075f8ff478ce96f6135982961617ffa87fc4321fd9

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C984DAAB-2E9A-4A0D-82A5-C916EE0736BC}.FSD

MD5 81a2a0063c90cd1ca9e1276bc301c78f
SHA1 b6b83e40d3e1b5552e487e6de038483ddc35019d
SHA256 dc9c42d77dba6e9cc3413cc347795d2c5b1f4593b1487595a421d6b806271bcd
SHA512 ddf811076a9e062893f8d131f7a4488597cb95440469bbc6880a0ca1ad9ba8e06a4cde2225bb86fd5ca466f232513fdcc887c70ed57ff3b85ff0d974e2fb4232

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 ab0b36e1ea93c2e1fbdb5097b0eb0989
SHA1 499ca4857c86c79913a1db7f3ad8d3db91e07a4f
SHA256 6fc393d332bdd428e7d81eaa6ce8dcbdf2149c7beb3d6b06085ac1eb2e906d00
SHA512 a588464442ed13cfafe2392849b33f6466e1323fbabc787420d9d0c7c88aadec500368eec5db33222c78dbf78230e5435db45e5ce46a84c95afaa798ed60265b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9B8A38E3-41E2-4E00-9301-7C6C5D5677C8}.FSD

MD5 bb5bd0b3fc24adeea1e84c2506f3e6b0
SHA1 c8b7d70acdf97b4570799768fa8172909fff2455
SHA256 2fe66ccac3209b23d8d3ceffd331bb99c0409f30279908f9e1545311241f33a1
SHA512 0fbc23c873d4d7a7ec68841b30c1fb699c9d6a51c9668349075d8ef23d3de6d06503ca948a32b5383ff3133a4b2356ee26d8d41c22ad6d8764e44a53d5ba54fa

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 f9d8534fa390422e517b2d4eb5cf3d4b
SHA1 d4d45974ad59c17370e4eaa3cdc976b913cc9400
SHA256 dc0d49ecc67666ca1602cbdb213e2e57c6f0c80608f488ab50a12fe298121817
SHA512 9268cfe6e115027fae4a6629948df10b329f399411f94d7a694c09a461faf143c1b330f0da9159fe37095c34fe15e0a9918e9e70eaae152ff2cfe6e5c9e43e88

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 1c3db50e22d52e779d29471443cd267c
SHA1 18e77b8a5ef418df83d4bfe6e1a9018171cb7809
SHA256 fbc879525ca308c96dc1f6681c13d7cb5a97ccde4567ece839cffc902dbe6564
SHA512 9559e0b5d11500667b3f677dc1a19fcc3b093e5b14bceea27e89d10f27c5747fa63d0fea165d96c84fd8516a4039f8b2f1371fdef1b2986980771e5f2fdb9ff7

memory/2244-1036-0x00000000003D0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 c076078327530b924707a70fdb1266f6
SHA1 fadbd12050c725a803452c5359d9983eae008cbb
SHA256 28a6517d7357fa37e8d427c710b063b110386e98cb76bb0350b2ed64a3d36b14
SHA512 833217ae051b21decaab99242674f325753ef36ffb71934c4fbc5289f2a2676db6f47700f6637a033295614105d5731dda1c81f6892cb93459bbdf72ff8f2fdf

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9B8A38E3-41E2-4E00-9301-7C6C5D5677C8}.FSD

MD5 2f9097171b30a8b5ff5aa5762240e94d
SHA1 0dbf0ef18d8786c04cd8343eb8383fa9507175c6
SHA256 0d0c4f7ecff95b3052274a0bc4ca49388db8a38a422a59657c461feda7bd025d
SHA512 b1bfe7a28145d27a18fa6aabedc4f449d1f25b58d60e6f1c962e8748367515aaeb09228d17d3936bf2a552ecae049a0f5ed39ab9fb9404e92c5944910328681c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 32bec273a140315fff0d38ba2c726556
SHA1 bf36554b7a53f76849ed3baf622e0c5d6cbb5997
SHA256 939324caf6185fc919a06342f9d92aea8e5a44a44b2807ebce6b8a546ebe453a
SHA512 f46d593e5b50eacade5f095d85bbf7ff2ae35dc8e0b449ee14a98aad7d9682af8e0ae2761c2e4e8b4a5e24735c4b48fd0efb03e30fbbbce69acfbaf56d6ffd70

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 2ae723f9aa63ed7529a2130784eab28c
SHA1 c84d8034bbd7e99a368e351b80f8e2c66776a664
SHA256 86efa0659c2e6d1d836c863b598192317bf69d0d17b2e32b1f093170dfb27c9b
SHA512 596578baac57e4684e49e117af928386a5069cf72bc52a34d864179612a228d9dfd0544ff28fd538b681f33ecaafb865f982166b915d38296e58b7e8135442d9

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C984DAAB-2E9A-4A0D-82A5-C916EE0736BC}.FSD

MD5 52602208b869957c24f8623ae7fe5769
SHA1 fde8a2f6d7dbaf6cd7c88913b7103c0fadb5395c
SHA256 b218e6be2a7636ea6424b0f3e8fa08d494c007871c444ec1f6844fe287cadaf3
SHA512 626c8aa2a65d9d54c97b85cfa9e0f1101faeb84acdf4a5de55052f9c39c1d3a58c5d8ade25dd2971059837c4cd169f3409217b7acaf65edb93d985f292f051cb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 4a0ba36438ecb944d6878912b875dafb
SHA1 8118de98d6634f8a350d9ea2927d60228d78b500
SHA256 87226d6483251667ce8301f3879b9abbfacdd3317e646866e94b7449adbdc7dc
SHA512 7a0bb286f76f54d7d0e42226c62cdcb9ac5dcda5257ff981aac1344d2f423daafde0a04657a7d839f5b34079f3e47c0ef3fbfc492fc32066d4d4c973126eee61

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 69d6aa4d391b9c8db29d150becb29422
SHA1 c3de9f8fc793b26e4ca914d191738325628cdded
SHA256 090c9797755b93e751397b227fa0b9a39ec90bfad31314e72b01f8c9202c50ba
SHA512 aa5b25afe3279b0a2e48250670e27e27479a6aa9d95ddfc95afb3a26daa8c6e69d23c64bf18fc1eb34fc14b2ce0d08b7cfefcd86b5627798b7f08baabf0a992b

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b04fd3884038b13390e7a065db5af8e8
SHA1 77766abc66b4466c2bbbf7c95ffce8e88888cb2a
SHA256 dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650
SHA512 a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 15:55

Reported

2024-06-27 15:58

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4616-2-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-3-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-4-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-1-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-0-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-5-0x00007FFDABDED000-0x00007FFDABDEE000-memory.dmp

memory/4616-6-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-7-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-10-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-11-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-9-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-12-0x00007FFD69780000-0x00007FFD69790000-memory.dmp

memory/4616-8-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-15-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-16-0x00007FFD69780000-0x00007FFD69790000-memory.dmp

memory/4616-17-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-20-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-19-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-18-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-14-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-13-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

memory/4616-34-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD05C.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/4616-566-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F91C6146-67C1-4B9A-BBCD-4A53001D5071

MD5 2e8b589641308ebd91ea1691c13af11c
SHA1 5baaa6090fef707c1f869a56b8434d3f2942a7fb
SHA256 ac3ddfd5e3dd6bd41ec17473e09919055f3b9e5da0fb89b582a3476e7a80ae17
SHA512 2565ac1291e61ce8e7a5bc4bee7f8c906ef702cd32c8f4c84b0323fc44ec8f4db45090ce7b049e486255dc6c87b5c74ad163c9825a8f8c72fbd6871148eed988

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 a43f0710855def727d4fd37b0b280491
SHA1 8ee92cee5e6e6ee0a9c376e907dc8fc02b405865
SHA256 883c9b621feae5ab6114086a19b3f8bfd4ae80e9a85de5b9d425fd705d6af46b
SHA512 7a0ece09cb4421f535ee90dea1731ccfd02af9291d16168cc818de289d6a702b555110e8307ea4ea4eed00ef9d6ea4a91e31b9e4fcf50a3444740a72bfc5aea2

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 0a3cfff4266b5c144389b65fa35237f0
SHA1 7d9f9b03ac184686374883f4a39ffc707c347467
SHA256 43910470a09a1984386304b7f5091e0c375599c1bbf0881a8ec6bb3f70012f48
SHA512 52352a12e7a6c7cf5c06994923b8bd5caa897cd9dff214e3dcc91b6d8dc3858f914aa6f750490c70d5bda7dcd98621200ff5d7b29922367fda4bee2154fcb720

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 bb29dabbbcf554ce9efc31dda5d137d9
SHA1 f479a356641d8de137b17711ef023f6a13e78efd
SHA256 1d2dd51ca850ba15b8d66270ed741e12f80355c97a1e1ebdd6d0ad2ee606af14
SHA512 602bdf08aaa883d6bbd6cbde1299a371209da043f5098d14f36c4721c5dbb908b56bdf06e45f936b44b3dc11f4ef171481119d7bbde9bee301b2f5e7a5705ba8

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 305ff84698453b8ffb97d9bb2dda83e2
SHA1 8261a1f274964a0a110bd7c9073f3e362b8358e7
SHA256 85fc87abb18ff5758cd18a24f6b53ef95fbd677e42683b6245126fe4fb614a40
SHA512 d1fa3de15db629d0de3143a5b0ff589a027f6ec67c3515509aae0ae7a965a21b8243be8bb6f99e2cba37242336492cf7230972551fde8cdae41d6bfc18152c09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 ca2d563291396b433a5eb6ab508eb395
SHA1 d70ebd8b890b20e744fee6628fdc7debbfbe66ba
SHA256 1331b80fc1338b8ad7b3774bb4dd33edd7ca0102066bddbbd6ab7c99f8666732
SHA512 d7d236a0919fef9bb11c196d0e1e865b3d2a98143d70df8104e901ebe4a6abbede80e06350949df2ad6ccfc213e48de9ae939829ae976ea798ec93b36cc1c041

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 d51c35918cc84c1410a1302e8ae913cc
SHA1 b705d18497e1091cc281bde05aaf3a072c9aafbc
SHA256 0a01ffc1ab22e69ac45fc456ee7588aa246f1b7299eb777f62c7a7634fc2d505
SHA512 30c47fe42926572cbe119db84afe322233d83487550f8268b9dfd39d5caf2b09db4f054b0ef6f56274f1e80c1d104658c6d768f1d3b74bd48716d7be3a8b632d

memory/5916-1561-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/5916-1559-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/5916-1560-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/5916-1558-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

memory/4616-1568-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 3f8b745a5015bb95ff2b8ee21ea2efa9
SHA1 a890b40fe2b419aaa97b531cb9d4428407d771bc
SHA256 16c646307bda64f032573f441015a584ec62a0f121c1b64670fb05cee493defd
SHA512 6d8a1afadd00539c1a1c9e5296e9e4ceacaeab8c0f6059c20d6013cd463a302a8e55c7cf7bed2366956be35178e5a57af668e389063cb69fa6b628315b788f19

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 72eee94ad6184f605a9da198c8129927
SHA1 fc995d5b871a124a9c24c28d12564318fa8f223d
SHA256 952fcec3e8faed84d473b42eda229315ee306be25d6c02c9e3898ac8127800b0
SHA512 800dc699e0b870a10aba4ab036fc0137058e6c9b318e5d7c49995f323c105d057c10d3aa47b38eece8eea3a3c8a88dbc7328dcb642889300f9727b97c9811cd2

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 102808a601883eefac7152d3345d9c90
SHA1 4ba93d4b9e0fcded8017c80524ebb93baaeef7c4
SHA256 dcdde51cede020f8b66100c661e34b53975af1ca98e0b113b2de9db74d637b90
SHA512 03562f7aae95ee3e84ca3f3710e84f0dea74cd578d9f2052fa8c52b6b721ae133386c76492b81ed948ddc0b61d3fbe9f95ae33ec03f9f678f3b2b9728f6368ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ad16c4fe3416ea9db31dc0e8e1f61075
SHA1 875a15e98223c377b49e4bd6f761eff730ae3773
SHA256 f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512 d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0