Analysis

  • max time kernel
    144s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 18:11

General

  • Target

    234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    234bcef84d766cb8bf8c6d78e013fc6f

  • SHA1

    05843a0d9a6a6a01ced6f06e97ce7c69bb6bde3a

  • SHA256

    602ddd6d104ab13eceae1f1459862094c8740308bf08f060d51fece37b63612e

  • SHA512

    b214aed42a46d1e5b5fc7af4a952b281f9820dd858639340e74c17e3fc4d40c886d385f3cb9e53e2b50c12077110543a82d684aa92522d88ad5bbc6457739dd2

  • SSDEEP

    3072:rvw9HXPJguq73/IKBWydAdS1zzKpiyclq:rvKHXPJi73wAcU1K8nlq

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2676
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8FE84BF4-F890-4F7A-9E4C-8552A0C2EA1B}.FSD

      Filesize

      128KB

      MD5

      5b98c0eede6dc14a3b751aee4231a6b0

      SHA1

      5169db782b8e5e8820c8b640a4aa02e989c2109c

      SHA256

      0c902c0f9915d7f9162466ff7df29f7b4d9895a9902dde71615dd96542e7722c

      SHA512

      f9bf278c70ffd0a4caf194bce3f28e8f3a02f668a4281c4ec4f38cfa63427e42a1f69b18acaf5f5e6b41955a1efb2862b6a1be7d92d842de19a3d45aa4329f4f

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      250c8851d0450fb2465af5a116c50994

      SHA1

      8f8dafd18d95a4dc5a531f00c5a77d77122e6d51

      SHA256

      eea86809b07185274e4d23e0a7f4f41f4f767f8fd25399792932c0c0df35a22e

      SHA512

      8c61495f3f51ffc6ed9ce80302cdb07adb12d086b855a16220bf0ec0c08ad839eb7d96d213df25531f29e0019487abbdedca72ab5412ebb9574515852d1e990a

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      0b9e2feb72367542a277aaa7a26ae686

      SHA1

      9f3c22d5da0bf30196db78baca0778b2b9e85833

      SHA256

      24d483a616b2d33247669cad478986d2ec275f9b29866169fcc5a381316f086b

      SHA512

      d88151844249bd62c61082053037b7d4c746701d9040492d5ade31f9dcdccf1f481c2699219d54157bbbec227166f080c3ada3c930d2241f90ce5b16a85d3e85

    • C:\Users\Admin\AppData\Local\Temp\{A3E9D2FF-43A2-4FE3-905C-74D3C15A075A}

      Filesize

      128KB

      MD5

      2478db9a8bd5b5a5a1dafafd9e2a250d

      SHA1

      a3b8c598fb35d37711c51ab1606d215ea617c1dd

      SHA256

      248fa103935a27e42d14e5cb708fd3b870feb7b3dfb2b1e9df3d8ba5f232a8c7

      SHA512

      0868ed2d3a2e5e854db9030ae81641cc92768446712fa07513fb4a8660c0337e68793e04d96fa697323d7feb74f1873eb055ff75c68ef96eda8b8981182a4f4b

    • memory/1148-0-0x000000002FB61000-0x000000002FB62000-memory.dmp

      Filesize

      4KB

    • memory/1148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1148-2-0x000000007191D000-0x0000000071928000-memory.dmp

      Filesize

      44KB

    • memory/1148-11-0x000000007191D000-0x0000000071928000-memory.dmp

      Filesize

      44KB

    • memory/1148-61-0x00000000006A0000-0x00000000007A0000-memory.dmp

      Filesize

      1024KB

    • memory/1148-62-0x000000000F870000-0x000000000F970000-memory.dmp

      Filesize

      1024KB

    • memory/1148-517-0x00000000006A0000-0x00000000007A0000-memory.dmp

      Filesize

      1024KB