Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 20:46
Behavioral task
behavioral1
Sample
17767305c2c5405843391c90c8165baf_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17767305c2c5405843391c90c8165baf_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
17767305c2c5405843391c90c8165baf_JaffaCakes118.doc
-
Size
235KB
-
MD5
17767305c2c5405843391c90c8165baf
-
SHA1
b054020587cd294da3995c7b834788bd0b31064e
-
SHA256
72dce1f47edcaa64212929c42533b306435b0e2b8fd4a496e92b1808617d7507
-
SHA512
569535c50c50597191251471d4e34caee6aed62604d4e66986e35e5c0812835fe01f53e6041fded521e2683d2b5ac6c2adbfe939f70fe47d00b2765e0fc86815
-
SSDEEP
1536:eterThwxEM5OsmqrmrAK9hbQ+HrTPGynK/dRYgjQVgs+07kVY/uocJanITRN8C:eUwxv5OsmqrmrAKHREdSgjQist4VaiaK
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 4 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?v3YhUgPTDwsFY5s898pEvqj05sla3IVg:Kh171601 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?v3YhUgPTDwsFY5s898pEvqj05sla3IVg:Kh171601 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?v3YhUgPTDwsFY5s898pEvqj05sla3IVg:Kh171601 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5F10357-82A6-41B9-BEA6-5B6059014C6F}\2.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5F10357-82A6-41B9-BEA6-5B6059014C6F}\2.0\FLAGS WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2204 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeShutdownPrivilege 2964 EXCEL.EXE Token: SeShutdownPrivilege 632 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 2204 WINWORD.EXE 2204 WINWORD.EXE 2964 EXCEL.EXE 2964 EXCEL.EXE 2964 EXCEL.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 632 EXCEL.EXE 632 EXCEL.EXE 632 EXCEL.EXE 2480 EXCEL.EXE 2480 EXCEL.EXE 2480 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2204 wrote to memory of 2668 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2668 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2668 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2668 2204 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17767305c2c5405843391c90c8165baf_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2668
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2964
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2272
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2480
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD588ccbc8cbd1fdef46f8e278420281e6e
SHA178bb12d171266ed099e951796ae5269f1a04092a
SHA256e65acef4d32e9cfcb9c8d78a2ef5e87a7815d0af5187bac85a8a05f96ce64eef
SHA512e678fb4bf536f2396a80025c91b158561a221dae579e546e9362753f52afd16a15b51e23d0ad810ba5d12e228ce07f596531d79be0c74bb0d26b3d4bd4ddf408
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E64F4D88-ECE2-4002-ADBA-03538AC3E976}.FSD
Filesize128KB
MD54f694468669df83d47767c827374d482
SHA16919eec81539fd79f0ed891ec51f281c74893eb9
SHA256b147cb08f12587024c3cccb2f0ba6169b5b28e6baba9141778ce9755030d8ad1
SHA5126e2d377165b99a125031d69f948753d8dd78ebd9d8a05a5980369e91a4fe9e59bef77c368239c5e82fbfd5b5c6f81d583ca4296927a915883e371e6a7a3431e7
-
Filesize
114B
MD515ed048f44e023f1a6820f094e286a7a
SHA1bbe3b02e4c8fa20c36398cbf0ec275c49cbecec4
SHA256f5db6faaaae42f04504b1ea49065c731edd4ee8c1382842747b4c80dbb83f749
SHA51280cf53fc3e8a5599eb4c49184473a2040d43632bcb7578499f8504b08e4b149e2acf2d2883a2130cb7afacca63468514c3dc7a2fee51270abe0d3d84b4f2737a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5e7cfdf557f4a9d4f8ea5519cd8f62695
SHA1f17579f2b0906e16ead8ddf44a4e498ddc063fd8
SHA2566589a258829e82f6c5f89f4fea3f23e9378d2d01cf975647bdf52209ea7b9857
SHA51273c5b76a843d1e5776a6bec52df9d1a64ee89ceede57d675e0fc9e7d0eec8936193b0b68d7f24f9b88e3fae39d0b15cb2d894c27958e41f4b2c355c375ac7e6e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5b0c97b75f5d890eee68e92efe99544e5
SHA1e19cf08a9079ccc5db30b792ef5fe420f2f95d4f
SHA256c377642a20ede5238fe4095612171cd5e95d58557d67a983a798153b33eeb422
SHA512c93a033dfcfc614d6246d53a3e488a02ebe7fcf2a1d4e9503fa49081359fb57ad67f4cd8ca375bd7eb10c7dce278607d8a15fe94fe62c6b23c220ed6f1106a2f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39C49F59-BEEE-432E-94FD-FD76ECE326D6}.FSD
Filesize128KB
MD53e4f548b17c29796ef0c19d3f74974e6
SHA1f7ca1d384d1121b426ab2743f6ce8fee953d6fca
SHA25693d12fbd474db1fb8608cb504140d8bf3ca10a43db87b698f0a4fa337fe95636
SHA5127eab68c82ba7d6b3220a9c8c7e75f5c1e8ba2080b30310d4eee17ad0f0685fb21f8eabc214756e1f09da1af2e53e72f294cd639bfbcec5a4a6412b7ec7de4add
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39C49F59-BEEE-432E-94FD-FD76ECE326D6}.FSD
Filesize128KB
MD5a4b38cffa42b5840481c259aeb2e0131
SHA159695ee59a239b34f81f08df41074ffdb162f253
SHA2566c170da018a0d93652dd9f22f0978b5ab20ac02146a4d761401e96b58e05c84b
SHA51247eea88a09bd895459632e23636ee2858c9f130e229946ef8626d91eccccd54d9b01985ab541ec61a398753731bb18034c4dd12b3582e6b5dbbe70c47ae5481a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD5d11a05a1d2346111d8dbad448ef4d9c1
SHA19f11c2af92197fd1ff7c46c66ffd2f49af5ef1e2
SHA25650fe5f8252e4e929520c66f9c5285b9d56ce45adc034aca969df832aa6550937
SHA5127337a18e88d93037f03a5aa95658db30692391147320298db4889b0cc6869761a5f810ad6315388770196e6434394a0db2923e069a2bf0093ae2507bc39f7365
-
Filesize
143KB
MD58155f3f49d43b8a1fb926677d11b5811
SHA10a612324e216f0d3fb5fc3267006aec3ca6a314d
SHA2562f0ffe3372abf6d585ff188dd9cd8361a9d114e45af4dbe7874ba8ad2b072d70
SHA51254a60cede5e6f8707ed8fcdddd7ec4f762253f4707c4aca9325a25047a983bc36fce61fef1fa19f472ef1d27d1888cfcd684e36457a4a11cbc5a7e4be3201747
-
Filesize
128KB
MD5a448363a5d14a0a934f8e09cec51d45f
SHA13bf5e84712eb6a6d48ab3feba3f31b47d102d623
SHA2569067370e931d7b8d694b8c34cbf294a376e62e8f12feec7e89ee3f7994a0cd71
SHA51239811df98c97f836f606f8766c9db18f884173157e094e04f74502778f0b06fcd3d181ebd07c5d84f687b14775a55f7395a26f4063e4995e79f7d19ce1968ef0
-
Filesize
36KB
MD5953d9b9092dd18dfd78602b336efe373
SHA12c055e04ad6a1f67c93196f32db8e7f0655e21be
SHA2561a93766e97b510129d57c9955774fef4ddffe6d8688b068c40b60a2035b1fa01
SHA5127583445363c6954608a15ad125a2e4a0b7c0bc9afdf24fd35042dddd7c73d3d9a2037e5d4699aa254081cdb6c6c1e08cadea25f8e3abbdc155240d70ba419287
-
Filesize
20KB
MD52b90f38bb8430f229c1dd4af5363cac0
SHA176ff6efae08421bdc554820d552a6be093fabd2c
SHA2561dbd7b37bfbf537878832fa2d9b9680403d0ca5021df9dc59000ba4d0221708d
SHA512aa6ebf26cab0c216a69a31c6795842073a4978f560feec89e35e251a5273c1c03d378b8a6085b12b029da9e0d759ba48fa0b418879cf9aaa490eaefdb86c531a
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84