Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 19:40

General

  • Target

    17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    17482c53582c2093927395e6f61e41c3

  • SHA1

    7bade5fbc0e7306aff6824bea0cacbcc1c239f1a

  • SHA256

    4e2eda69d87762822766a967624828c70886cac260d62f9de34352347bbf15c1

  • SHA512

    3e925bd44cf7ee54fc2b37df7ad7cfab303975d7abc887fcd630aa63fb7cc68958e78e6e058da9cfd0905206a13d71d36dbf583d51a66f79bf7850e220c5a60b

  • SSDEEP

    1536:VtPrT8wrLT0NeXxz1DweVHrTPDyN5J8b29rSp1GZrcmO/FEE7Ax65+7Eyki:V2w3keXxz1Df1gJ88rcmOWm3503ki

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2620
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2560
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:500
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:632
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2684
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
        PID:2556

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        e246866f4de3bc8402d616f9d511cd49

        SHA1

        04cefa21ebd9532c5f2d373177d6c759a1bb08b0

        SHA256

        9c7730f3e88e82da18b64fb66fe8a876be67fa878a056a7c21dbb27167675540

        SHA512

        5865f4401535e254050fe5ad95d178a9702ca11a690d1a7d0e03feb5856cb7d7115142ab73346251f9480d825567b1b45a4c2e32cb7fe1e6961507a34a872d77

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FECD92B3-CADD-4CC8-BA73-87EE28741F09}.FSD

        Filesize

        128KB

        MD5

        72701479460bbaa47ca2b8e257d8c8ab

        SHA1

        77a1f61ffcae980209ac785e40899905c7cba29a

        SHA256

        c3d85c0dbb6413cd8342470374d1b19639c7c8079597100e9cb1da247205e859

        SHA512

        1cd3425c8bfb8669440343e9bb9ec9e6b2446663053d50dc9437c45ffbc149aed70dd49ce7dc4770118bcd9228e22cbdd02620724dbb15dc0a01cc5343d94f34

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FECD92B3-CADD-4CC8-BA73-87EE28741F09}.FSD

        Filesize

        128KB

        MD5

        b06355109795979eb3ef176cad4c825f

        SHA1

        a5a31c1210ab3866cb6f39fb4f5aaf7451c5a9e2

        SHA256

        a489ff6f273639346232167b9aa022ba5902ae30afbd9b231302139be8613e7c

        SHA512

        bc6500399320a6554c0c01af46559ebc36cd79ea5c8d48d217788cb1c3e5786b30d13014d1c96bbd95579cba90120aac38c88f5eefde2d2d1ad5c656b0974b55

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Filesize

        114B

        MD5

        15579e6292f67195535a54f38f58fb69

        SHA1

        6bee9796c8e83b58b3fe9ef8f2c6bbd075933e39

        SHA256

        e0bbfe2e973790934ca5e4878035029d3e14c5ed426aa3dcd36d545196ec7f52

        SHA512

        63c27d56e0e3120dd0f63ac90e54eeaef002f4a9576b21db441cb5086b28416a0805b9ef1055333008f6fa77f2cbc06b14045c740442142f7fde4d4005e2522e

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        3c328d8786b957e843c90584bd79e951

        SHA1

        8b3e4b609c406abeec81ea9ee22ee3cb0fdec3ad

        SHA256

        ffd8b92c596e5114b8f1636ce45e796026bed5e8c15612f27bb232a7b36d6ba5

        SHA512

        c959481b36baac92ad01996270aa2c43ae1ad34f97ef0a81212a8be5e24683cae75047b9298aa4d7e39ebcb349fe9fdcd9cef2a144f080bccd3f60796c57c253

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{54AACF59-F3A9-46FF-A45E-175A49DE5F3E}.FSD

        Filesize

        128KB

        MD5

        b903a387c36a9bc60b0edb5171e640fa

        SHA1

        3c857db7308d399bde76c95feb5eb97df2b12f76

        SHA256

        f828fecfa41588bf07d5852cdf535d2e8156685a8666c4229c8c9752957628a1

        SHA512

        c7bcf5b25863af2f446cc5b727ca9912ae402088b7cae98319e79512342996d75057d3afe0ece47e5eb0a4796e3d314cc28ac1d3c3241f68d1e49742300ef481

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Filesize

        114B

        MD5

        15e9204afbcf0b052c7bfa951bc37f2d

        SHA1

        ae914daf6809bc860341f216331de99df992cf8c

        SHA256

        db8ff65d50836cc4e6a864497702f707af4ef659597d1c96a4d1272c31ee32a0

        SHA512

        8995bb269dd453e2c933948540cd28eadfc79db1892cf0a2072922dbdb6b04959b1a4f25c7d04e8fc2a7d9966a32b63508d358cf440d2b5993bd691d3553b555

      • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

        Filesize

        143KB

        MD5

        634bcc499a60dad4cdfb71565a8ebb24

        SHA1

        1db10acabcb194f5f25eef8f08308f7dd9f561e6

        SHA256

        4c4a86b43b5fd5962668bef131a22768158eefec6bab107190511a0f82e78ec9

        SHA512

        a3096f8bfab147adf92ad6cd2c81ed6035bf70e7a73d27ae5f88acb2bb690aa955e56b07c95c06bcf1758c15ff12242157664618f8ad8bcbcceb265ff4708bd3

      • C:\Users\Admin\AppData\Local\Temp\{90E3953A-48F2-486D-B96B-1EFE666F3A82}

        Filesize

        128KB

        MD5

        366b07d35a6b62e2423405e7844348c5

        SHA1

        33e09fb2a76b1020172af1200456e3702cd8abc6

        SHA256

        f044d5250e34238130d1ab8f9b9a461394c3c94f23d0a02aa02c42d58b945d59

        SHA512

        59e0a94e406b3ec7c7bebae1c4e30c31beaf52d8ada8c0f5d1dce466eaf292681ebfcb5810fb14582df3acc5c7d6d77991861b8be71ae7824e5062e5b035f19a

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

        Filesize

        36KB

        MD5

        36472b58f16909edf3570bc0606c7777

        SHA1

        1f12a7b5b24fc2ce2c853691b1ef980f1e5cd9b6

        SHA256

        d37e71723981e9607daffe7bf7ddda3794c24db69c5c0a47d63aaf1bd3ff010d

        SHA512

        3f96943c1752075d54a709cd3cdf8d966a4cee7e910cfd1f2f413ffb84adc7283d97b9ea358b2eb1fa3d537f21d47654ec568d91b4fc560ce88d0fe7a0532cac

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        48eb278cc6350f7f0c2522e2d724126b

        SHA1

        cabdd912aad5914026d33a540a792a255b1d5d29

        SHA256

        ca29498e86d3856745e22501d0526c0a406031aba3730da7eafe5ee27bb367f7

        SHA512

        90fcd7dd86dc6ebcbbb090a283113505d625ef429d96547e4f05e23e0b15bb5a23c18df4aa3becb7ea619ad1d1ce2245e972d671e35b807a14c663bbddc1dd5f

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • memory/1728-123-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-228-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-373-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-471-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-325-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-180-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-276-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-580-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-628-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-423-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-0-0x000000002F051000-0x000000002F052000-memory.dmp

        Filesize

        4KB

      • memory/1728-63-0x0000000000410000-0x0000000000510000-memory.dmp

        Filesize

        1024KB

      • memory/1728-62-0x000000000DC00000-0x000000000DD00000-memory.dmp

        Filesize

        1024KB

      • memory/1728-61-0x0000000004570000-0x0000000004670000-memory.dmp

        Filesize

        1024KB

      • memory/1728-11-0x0000000070F2D000-0x0000000070F38000-memory.dmp

        Filesize

        44KB

      • memory/1728-2-0x0000000070F2D000-0x0000000070F38000-memory.dmp

        Filesize

        44KB

      • memory/1728-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB