a3930a84abb7345b53130ebf9d06c2bb41bc01f39a365b8cc7e3b69f7ca4bc86

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4261ec0a9edda9561c4dda5d8da7f98d_JaffaCakes118.rtf
Size

12KB
MD5

4261ec0a9edda9561c4dda5d8da7f98d
SHA1

c750e02de96c5ea52887dad328728deafdeb8e79
SHA256

a3930a84abb7345b53130ebf9d06c2bb41bc01f39a365b8cc7e3b69f7ca4bc86
SHA512

17c3875ccf4ac0e92eba8dc4ba549994208b19cf170f81a9e5ac8adc7fada94b4d45501c678655149fbbf75abdac8dbde69822b2d32aac9f2bed495c36bf339e
SSDEEP

384:AQtLs99/0jRGe7kQkjz4OjdjD499ZVONR4LmjB:AQtLscYeIQkjk+d/C9ZVS4LqB

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2564	EQNEDT32.EXE
7	2564	EQNEDT32.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2564	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3004	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3004	WINWORD.EXE
3004	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3004	WINWORD.EXE
3004	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2812	3004	WINWORD.EXE	33
PID 3004 wrote to memory of 2812	3004	WINWORD.EXE	33
PID 3004 wrote to memory of 2812	3004	WINWORD.EXE	33
PID 3004 wrote to memory of 2812	3004	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4261ec0a9edda9561c4dda5d8da7f98d_JaffaCakes118.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2812

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
2b0423142c30df9c5aaba00ccd657e80

SHA1
873398b471d89e458a51456c5fe39a87ea59a95c

SHA256
442498519004ea1d102f8900ff8884c02d92043411f95e841f1523ac90d4aacb

SHA512
bce11e9a80007668d6948abd665874e682062c11833094bd2eabad025f9b9cb68e54a670208c9608de96922e5b7756a5f5ac03702015c924a66e36bcfc248da0

Download Submit
memory/2564-5-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x000000002F2B1000-0x000000002F2B2000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-2-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/3004-4-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/3004-24-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-25-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download