Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 21:03

General

  • Target

    1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc

  • Size

    235KB

  • MD5

    1784ba1e021937eaee4666d9d93cc8f1

  • SHA1

    3441dbf00c543055596b857baf7ad3f00f99d6e1

  • SHA256

    0fa4e5bb42cb1e3153a997f8f097aa4154fbb0113d3ec08764a62cf059778fb7

  • SHA512

    5019ca8a498e10750d7c444a67d5c1f225675b601535fab0e00a052a581c2b17197e9cdcd2a21d9d41de68ed91b9e3f04a846327719518dceec3a1e9257fd76f

  • SSDEEP

    1536:7terihwjEu5s1mermyzrKXhbsjHrTPxysK/dRYmKOBC/6BpBBtr0VufRKb:7/wjd5s1mermyHKxcudSLs28fRM

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2684
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1912
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2016
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2460
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2436
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      86e4305c2ae0007692c0aa447e1511e1

      SHA1

      f83086ae16a76d97e65626ed0adbf3f1b3f5f4f8

      SHA256

      16cf32649b4a9a82c1f59e734a56043a2fa7fde0263eaab143ea47fcd288239d

      SHA512

      4da8b2137e97f7832a769ce96e643963926debaade450dc13564508c8eecf7f84721285ec29711cb7f50f902ccd135ac3f54e96dfb1795d1c65424cf16e739b7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F82DF70B-3168-47FA-B5E2-0584D8A26DC1}.FSD

      Filesize

      128KB

      MD5

      9632953254e7a3357d7439ca9b412a60

      SHA1

      27184d757a3b9473c5159973350cdbfa4b21f25f

      SHA256

      40a46236ecc91ffb4bcb052bda5e3c6bf9bf138116b1fa67a5de57d1ff879ea5

      SHA512

      6cc82ac3ba2f9d75299db64c86db8b8030ce49fedd22b48448ca7a8bc5838c88c0738c7b2f2f8adbfd300b50a5b532b7d5c41088e832029ded15c0af70ac3d33

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      f2a20ea47b716b9eccba40e77e9e74eb

      SHA1

      e82af81385c4d4e113d21d59e41e8c5cc729f0c3

      SHA256

      cd3c90aa3194c67ee304b63e6f3f60fe6b5d04d4d7380de2d568258fd6f0b586

      SHA512

      6bd9693b20a3994ab08bae1b8922620033c99a66f07dd3a253714e5e9a417636d9ee620398d35d65701afb4d6900a608c4500d7d292b0e7287255c4c7b053600

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      94531af624fe9d3033f05e39124118d7

      SHA1

      69c97d86d7cec0479733c3eeddd7366647e4dbaf

      SHA256

      31e41e2c5f6ab92963d98d9a691de9af92754a9336886a98ca05cd147a2d45dc

      SHA512

      191097a5fdabb33847d563a538cac83233a8e6f3d3005ceeeb593d1197e63346b5d54926f9dc8efd2cab01ce197776e54547d6806adcbc381cdaf104be5504eb

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      da9b1180a6b1cb4be6d227284032168f

      SHA1

      2ddabea423c48e9d1cc7845f695e90bc7d6a21ac

      SHA256

      a6b35f1fb93bf839de2e35df5c1e64dd5eaf8106d9eb95dddefd5373508c0983

      SHA512

      13981159718594b10865a66883f29cc92101f48cdd2e79519eb4cd4c79de9d5dd97b4b8e2bb0aa28fd6f150c31a9d86675c90714c4f47a3aa87a3029e939ea78

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8105F005-B921-4002-BAC4-29F66A4824AE}.FSD

      Filesize

      128KB

      MD5

      cf6509544ace073b3f95009745af0b99

      SHA1

      c2fb242a770116a6a33c5f4d4cddcca2ce5f576d

      SHA256

      a59811a695acd231656ebb69cb26fb214483b9c51c7218752a0570685ebe5781

      SHA512

      747e9ee92f30ae4aed241ee0f8d52def74bde779cd399a7e74133d243396b85980f8d29b445f7b6d31915cfd029b1b52d6e00a5e57759fda75d089c4089d5750

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8105F005-B921-4002-BAC4-29F66A4824AE}.FSD

      Filesize

      128KB

      MD5

      2509ef220e153ded86f13a5feb7ca5cc

      SHA1

      611ca5962ea4c0ad994fb8b08c444d2ca4332e06

      SHA256

      4c113069f3bff44fa88ad01479f6aa0f600a7f594dca74d5292fea139b5c60cf

      SHA512

      8a67f71b53050c80e69bb17f25f4da76fe00c7cd8bb83088f1fdd177e28c5412de223d33cd7385c7e951115721a794ac994a44e5e2adb4dafb17ec8784ab021b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      89878a5aee3db74308c96949773b5dbd

      SHA1

      60f1d8a8bd00687b25ce11b613bc29c92786185d

      SHA256

      4d8cce5aba8f1be2d1675edd3048d0ca041c6f2db740b3884f23adcc0948264c

      SHA512

      025467e5a9fa0935e67b9ae6c328ba79169374729bd8bed3d68907960c2e51b49260ac300262a8f5b9e29acebb7ea96909dcaa09a4d1e4d61a08250c95f6d53f

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      2fd3d9bf8ff7991013954da38f9daaec

      SHA1

      bf52d39e39cbdbf10ba4da8b7fa35b1b1bc868a5

      SHA256

      f3cc9a69cdb0c1ea147840a4994dbe50441bba29a14761a684491ed3dd734ae9

      SHA512

      f84fa71fc8d0fbb7fdf4c82bb4cfcfc72f5dd45fd081f34deeec5288ffab7ff4f998a7f954c544e72ce45cc52d7014ceead0f45a90119fa09bea41750255f3ec

    • C:\Users\Admin\AppData\Local\Temp\{1FEBBF93-CF6C-4FE8-8E14-98EB15D08995}

      Filesize

      128KB

      MD5

      3b433f201ef1634c63a99c9e3e0e3456

      SHA1

      d31962f6d87313a1452ebe4332e3667a8a1a8bc8

      SHA256

      c4506bfd251eca92451bbc7a255cbdbbce10aa6f3b18ef28e29d8fe97f17a9b8

      SHA512

      ca977fae08c3e3ae9c0433ea8a2e71b0e3f556f8b3a8d44c14ca252d6ef5168cb37ded69f64b3f9eb3ce6b3a0541f2a0009dfa7f571a048cabe2df46c04d406b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

      Filesize

      36KB

      MD5

      509bc92e1ffb6a991bfb69f06ea2d88c

      SHA1

      5903a197c70a4f71fca543a9d0f2886fd09a0fbb

      SHA256

      79569dcff36bb12807b015358e5363bdd5b56e06a3d933ce41fc6e8e5363b3f4

      SHA512

      5e601137d73c3e6fdb3274f5b420cab2764b9b091e5d5cac4d31f66bcb95916bcede765cb7471807c62d659cd3191aabb00f8ccab1872694532f9dcb3d678551

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      55B

      MD5

      b04fd3884038b13390e7a065db5af8e8

      SHA1

      77766abc66b4466c2bbbf7c95ffce8e88888cb2a

      SHA256

      dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650

      SHA512

      a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      bfa36f4aceadcd4e0c201b1c94d941f0

      SHA1

      a7cfad004a9ff5bce6caffec3398625904041233

      SHA256

      62a8573e35668c5141af90edc9b420c3620fdb71b83b5bd52b6975469e81c39d

      SHA512

      70202a462c96480bcb9064e60df260215eb67472bcbe150893c9f63aabb2458f1e19b3812aacaae8a6b900816bf62b4a4407898166b34bcfc7779301fbe4692d

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1704-45-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-38-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-67-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-66-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-65-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-64-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-62-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-61-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-60-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-59-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-58-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-57-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-56-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-54-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-53-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-51-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-50-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-49-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-48-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-47-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-72-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-44-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-43-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-42-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-41-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-40-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-39-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-68-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-37-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-36-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-35-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-34-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-33-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-32-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-30-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-29-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-63-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-28-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-55-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-46-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-26-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-25-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-69-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-70-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-71-0x0000000010710000-0x0000000010810000-memory.dmp

      Filesize

      1024KB

    • memory/1704-52-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-27-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-20-0x0000000070C6D000-0x0000000070C78000-memory.dmp

      Filesize

      44KB

    • memory/1704-2-0x0000000070C6D000-0x0000000070C78000-memory.dmp

      Filesize

      44KB

    • memory/1704-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1704-0-0x000000002F2D1000-0x000000002F2D2000-memory.dmp

      Filesize

      4KB

    • memory/1704-24-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-31-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-23-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB

    • memory/1704-22-0x00000000003E0000-0x00000000004E0000-memory.dmp

      Filesize

      1024KB