Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 16:15

General

  • Target

    2300e5b5bd75b047713987a092e6aee0_JaffaCakes118.doc

  • Size

    204KB

  • MD5

    2300e5b5bd75b047713987a092e6aee0

  • SHA1

    e0f4267cff5103997c0820cf008ea4e2144f9ad4

  • SHA256

    e01ebfe3441e389dde40a398d65e9744543dfed9e4e52f54d1e3a8db69e4642f

  • SHA512

    d22915ba7e8bef9bcf94f0ba9e42cba44f3bc1df9333f8c7a7b4744eba11bd52a954e1a53d95b806febe92cc2bbf0378b4cca8d6094fed75252916ffce56da32

  • SSDEEP

    1536:ktPrT8wrLT0NeXxz1DweJHrTPUy25J8b/yy5z0g3iqyDbML17PguMrBfR:k2w3keXxz1DfJaxG0bAIhR

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2300e5b5bd75b047713987a092e6aee0_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2548
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2640
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1000
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2628
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:820
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
        PID:756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        8fb2f4a07caceabef1d8fc269222311e

        SHA1

        8071724018b0333e3ca25a5485a5518da220f424

        SHA256

        67021542b14df94ddc08c939f4663e6fc7d4b3b42af8514e89172f85beea7ab4

        SHA512

        b7fdb45f38ef78fa6a265999004d97a96b4b802a55596453cfe5966649f3d88c49b3de89a0a3643fdd04db82d4f9aef8ca7e4d942a175bafa5fbbc3c25800eec

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{218A9561-5254-4D2F-B273-2BA7272EDACA}.FSD

        Filesize

        128KB

        MD5

        74250be9933c67e9a24369db0e0ff512

        SHA1

        e030320ff6d6cdc013fcd2998d293d5073e659f8

        SHA256

        29056ea337fd01774674fe881e4075e22f5dffb2f4e74a4005183bcd74c2c1af

        SHA512

        46c831bf0116a569b3bb71e01f2bd37030c656d62965af8f81ca289ce73344fe25bbdf9dfc0ea37d78591bfcc5200c97fb6d7ed9b1649318b422ba59b513f196

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

        Filesize

        114B

        MD5

        214d0b473dadb17f03a02a07516d1acf

        SHA1

        9480128e63de0b576bca4c078fccc85473328e63

        SHA256

        9e6db779369380ef20edd87a6c1598ecb326cbad7d77b5fed06606b1a662b2a4

        SHA512

        036ea93d91db2bb516fb56a7b19d8c8e6313fd23d0f6417a4f4e6c4b73e3bb48b8b46059f97351369d96372ea52f73907ed7ee035ec3d941347b213f590c48f8

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        f3f5719ad83a65461424d067f69e9d16

        SHA1

        5ad829888ba7c670e46b868dd5c79f336270348f

        SHA256

        47c2afb6a775b4f6f2df478846f895f6cecee2ead9259d265851a3cf6b7d3ca8

        SHA512

        145c7e0d65cac13be29a01ccf9ca8d363a8afa41afc4911dd665019c2f6fdd9c1bbf5122e1977ee8761bc11da8ae7ef8a7a66a8f88db2108cc488e06a1041cff

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

        Filesize

        128KB

        MD5

        475c5a6af5b16a77e14a9ee61ed5457f

        SHA1

        1bfa0431e08d31696c12e9547874d11d2f0355ea

        SHA256

        0ce848ed31277500b3455ad57fa1dc70ebdd3859c3e016ed9bc4e20b9ee07aca

        SHA512

        5cf865d12fe9249a9d775f298639c407b760b32a8610f761b857cd55eac8a1051397be21d74da05592f9b82c5a2c7d6d81d587bc270cc95401a9b90536d63f87

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{88BD9968-6D03-4B73-8B42-C8AED79E4A12}.FSD

        Filesize

        128KB

        MD5

        e2d372b70a2ec3a9f8d6f58c8b9e5db0

        SHA1

        dc17d6792c41172a6cc9258e7d4adfca8995c41b

        SHA256

        805debea48429c5bb8b9995a6eb6cb8a099681a7eeb4e95cb5bdb504b357aefd

        SHA512

        b2bf95b7f53a23295d3e05f6982897031636f7502b6de1d1053c2f4c73bab115f3a37c85dd56b6c4c63dab31edd363469ac51a0e873f3256c808c60cb02acb42

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{88BD9968-6D03-4B73-8B42-C8AED79E4A12}.FSD

        Filesize

        128KB

        MD5

        5bc1025fe7b7e3dab2b1b932a414e570

        SHA1

        8cb33a8fa8bd845cab51617107dca9d1b88bb5e2

        SHA256

        0cd56867076de7f6e24454b047602a062e8ce99024a8f23d3813c20cc2205cf2

        SHA512

        2df8ca149a7bd93badeedafc07836d3b59fac2c751eadb505f5a2338413496fbbe299ad93a8fb12e45a170c9ae5f897e0b80c47c79710f8eb9ae3709c7fc3e3d

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

        Filesize

        114B

        MD5

        6f3d910ceb88a98f8c54306b5e9b5b7a

        SHA1

        9570cc35ca0463c0a15f91200b052b8ceb916b12

        SHA256

        ad057507fc5578b99bccfa662b1fbc401b9e6a3b8dcbcd07372b63f20b1bdc8e

        SHA512

        592c0b653b308cc6b10e8cebd8da6aac9ca8a7671c9ccdd18a45edd457fca86e7bbafa6722866776f34269cfce94cca6c94be698aa9cb5a09cc307c98921dc34

      • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

        Filesize

        143KB

        MD5

        4dd4d2c2471f40a16b9f4b2c23396f69

        SHA1

        d795e590dc0ca4112edd64d2eae2ae4b8a628cf3

        SHA256

        29cfaa18c8f164bd24ab37283cf3095f0c51d1e4399db5c94eba20aee5d7bb56

        SHA512

        9df26e19c0316596e44547cef771b793968f03057a9d5f3079aebadea22eaf3af39ea4978fafde9fb5f9dba3cb3a4f50385750fa6125e51c2b389b64ecf41e35

      • C:\Users\Admin\AppData\Local\Temp\{89FCD4EA-3267-4ABD-AE10-43DFA8B94A4B}

        Filesize

        128KB

        MD5

        32ab79b59f22010fce688ca33a8be495

        SHA1

        581d499f9e1adaaba92b4eff8f58da3c550e5800

        SHA256

        f999291546e2dfc0c7cfe2e8644dca3e3698b7d3f038d68a8f3c747e8204a5a5

        SHA512

        e239be675599cb8ce079c03ac6ac9b0624ed7c4b126da753703558dc42111f08e6fdfbd6c84179a369bd6ad78c79b6116acde6563be9d2ecefd28271a81a0a2c

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

        Filesize

        36KB

        MD5

        8d5e98a0cab5d2bae5c1a7e2fc15dd8f

        SHA1

        413cb6cb7c27d969dc60df996733e20a5ff2968e

        SHA256

        eeee6bd253bcff5a99188669732650d9b672af9bf1dd760219ec5d304f5b10ee

        SHA512

        9166723f018a16649a9f337521013ab59b1836386588f560b3aaf24166d51b4296310f2e0bf5d630f0d4653e43b0862a105dd8c498be87ae554ff80ca93a4dc2

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        5f4123e13c101d11ddd45a26c96c1b86

        SHA1

        74c95d7fb1f250a3f2f57f2ea11eedd9e7168bbf

        SHA256

        dc47fefd48ee83249d858d0d5190b308bfdfb7433fe630aeb46ebbfe6f99db17

        SHA512

        9e7fcd816d25479c6bf0a0e68a83b76bb864d632e4d72d69cc0db2677c4531c454a05e31c5275a8935346805caa79f1037a25161611d7cf60156c601c722c2e4

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • memory/2640-1021-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2860-121-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-120-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-110-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-111-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-114-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-115-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-116-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-117-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-119-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-113-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-0-0x000000002F921000-0x000000002F922000-memory.dmp

        Filesize

        4KB

      • memory/2860-118-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-112-0x0000000000680000-0x0000000000780000-memory.dmp

        Filesize

        1024KB

      • memory/2860-61-0x0000000004FA0000-0x00000000050A0000-memory.dmp

        Filesize

        1024KB

      • memory/2860-11-0x00000000711ED000-0x00000000711F8000-memory.dmp

        Filesize

        44KB

      • memory/2860-2-0x00000000711ED000-0x00000000711F8000-memory.dmp

        Filesize

        44KB

      • memory/2860-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB