Malware Analysis Report

2025-01-22 19:14

Sample ID 240720-g7rzxstepd
Target 5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118
SHA256 f65eec3ce3d94a54021e254ad1bfe573887cbba43f338b5862d97af0e98b6bc0
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f65eec3ce3d94a54021e254ad1bfe573887cbba43f338b5862d97af0e98b6bc0

Threat Level: Likely malicious

The file 5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Deletes itself

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

NTFS ADS

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 06:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 06:27

Reported

2024-07-20 06:29

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118.doc"

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2100-0-0x000000002FDE1000-0x000000002FDE2000-memory.dmp

memory/2100-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2100-2-0x0000000070E7D000-0x0000000070E88000-memory.dmp

memory/2100-5-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-6-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-10-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-7-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-9-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-8-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-16-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-18-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-17-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-15-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-14-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-12-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2100-11-0x0000000000370000-0x0000000000470000-memory.dmp

C:\temp.tmp

MD5 ddf48901366b88d3e1230abafe3accae
SHA1 187f1f955cc505d151e22c329bf58592c41b83e5
SHA256 30bdd8fe0ffdd79dc36186ac25d720179a3aa7967a0a0d8474a880df46555111
SHA512 b0fb733c338aa67701997f20c6ca516faee2c237870e15d723884f2d7b712c7eaa8cd6fb47e76f0b6693cc94ecea2cc2051971cf061f24070cfcdc797d188519

C:\temp.tmp

MD5 519755378e58a854e2bd4652f7195193
SHA1 eca94844a06772a58cafa8bb4fccb054cdb450c0
SHA256 b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20
SHA512 b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

C:\Users\Admin\AppData\Local\Temp\5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118.doc

MD5 a6e17d6ed34b28140a97a6bddbcbd043
SHA1 3c61bf0a39e6ba87bb85a983724829fec8a654fe
SHA256 990127b9efd5e25383f494579f7cb3c7c13dd3cef1bac4946f0bccbe897966e8
SHA512 c706d589cc0befa376082d5ba1b71609fd741b6a618f1ab6a84362351251a315817c5bca07121dd1acc60400db5dcd9aa3a218ebe32f2a22025e3d0485da842e

memory/2100-57-0x0000000070E7D000-0x0000000070E88000-memory.dmp

memory/2100-58-0x0000000000370000-0x0000000000470000-memory.dmp

C:\VB376D.tmp

MD5 810799095dacc650c6fa34cc30130776
SHA1 1969cec418ee4adda272c6c721b401e99af542ec
SHA256 af5cb6f0dec03e0389de2c1d1bd78f36db7bb627635cb9ac96250c92026c7eea
SHA512 b4566530b65d406dcefb217df6e69fb82ca76a8c795e23b4bd35a006ffe118d7cd79415fd01f7262a5974171e358ccc6d92a6e18343220d1d8b057c6d181fc3e

memory/2100-95-0x0000000005E80000-0x0000000005F80000-memory.dmp

memory/2100-94-0x0000000005E80000-0x0000000005F80000-memory.dmp

memory/2100-93-0x0000000005E80000-0x0000000005F80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e4ebc0fc637a7d1ee5e3ef67ee33a88f
SHA1 42b23d927750b73d0e06ecb862490a0ce2b9a4cf
SHA256 712d52b5344b46e36a285bbc5843ff1cc2f2245d2c95816ecc725743fbbd340f
SHA512 f733ab57ff157ecd0b1a420d8ce0c59182c76f50b1d17db30d50f56f8984a5064afebeba42957a4007d351afec0f58a23c0c213ea9a549c52fa418b711030879

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9199dc449bd4c5f87dd661f469e5256c
SHA1 86a40d0d81febc632f851037ea10acf948385e6e
SHA256 805a9027cadb4a019c642bfef9a2de380ab7957707f5c5e283fd0829c43e6d13
SHA512 3401945376903561a3319f43973ad79909744d1f55f662a5f93a8946a41a31da278729506859b82113343e8267cc866cec9149b5ae2267d1693a1aaf227946ca

memory/2100-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2100-134-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 06:27

Reported

2024-07-20 06:29

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f5fe3a1c2678668baafb3807897de7d_JaffaCakes118.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1172-0-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-2-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-1-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-3-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-4-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-5-0x00007FFCDF9CD000-0x00007FFCDF9CE000-memory.dmp

memory/1172-6-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-8-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-7-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-9-0x00007FFC9D1F0000-0x00007FFC9D200000-memory.dmp

memory/1172-10-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-11-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-12-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-13-0x00007FFC9D1F0000-0x00007FFC9D200000-memory.dmp

memory/1172-14-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-15-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-59-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-69-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

C:\temp.tmp

MD5 ddf48901366b88d3e1230abafe3accae
SHA1 187f1f955cc505d151e22c329bf58592c41b83e5
SHA256 30bdd8fe0ffdd79dc36186ac25d720179a3aa7967a0a0d8474a880df46555111
SHA512 b0fb733c338aa67701997f20c6ca516faee2c237870e15d723884f2d7b712c7eaa8cd6fb47e76f0b6693cc94ecea2cc2051971cf061f24070cfcdc797d188519

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 7c6d6d41e86c256c8c32e3492ccdc27b
SHA1 fe380bfec8920b858f1cfe7c39e7b4ce183cf265
SHA256 d27257a82c6aa68570d20489ecd1f2bc9ec751a55a4573717a26403d73c3f1e3
SHA512 f2245635e0451bb2e17b9f321e00730d61e46b195b7b6b3e5a4a35921dc7dea609eda9bcf981e9d4bdd20028837bddc252f2cf808ab4cdee99b3526de6da8935

C:\temp.tmp

MD5 519755378e58a854e2bd4652f7195193
SHA1 eca94844a06772a58cafa8bb4fccb054cdb450c0
SHA256 b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20
SHA512 b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Local\Temp\TCDCC2A.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1172-584-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-585-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

memory/1172-586-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp

C:\VB951.tmp

MD5 810799095dacc650c6fa34cc30130776
SHA1 1969cec418ee4adda272c6c721b401e99af542ec
SHA256 af5cb6f0dec03e0389de2c1d1bd78f36db7bb627635cb9ac96250c92026c7eea
SHA512 b4566530b65d406dcefb217df6e69fb82ca76a8c795e23b4bd35a006ffe118d7cd79415fd01f7262a5974171e358ccc6d92a6e18343220d1d8b057c6d181fc3e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0001.tmp

MD5 80d172c1e3cc666f4cd052fc32be4d95
SHA1 4bd85f2ba7f51fcead1ca24dbbb4c7c6a685e1e7
SHA256 ff1eb81f1d615ceebd1a374ff6cb5e8b38dce623fed2a01f794971ba5cd148d0
SHA512 67e6c260ec5c245f05d42705b3b9c1545e2cf24ad86669560894f7269f4c725a40377a223b74b9a8c85e7272db2f6837cf56991009acc7fccb9a74bf963af309

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b6d58f6848e884a1837fc7ba10ba2bb5
SHA1 cf847e2250b877d665a22e4375fec7f8a6254ee5
SHA256 dbbabc1153d1f89c98fa04b810bb5ed9635e6e10341412460d7d0f8d96247aa8
SHA512 07e33be18281daf62589ddd5a72bf15138b684fa5643d7a6f047f389e555d39574617465f703857203971db5c2941f0a99494ccc53a688d72e92a48837212e54

memory/1172-760-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-761-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-759-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-762-0x00007FFC9F9B0000-0x00007FFC9F9C0000-memory.dmp

memory/1172-763-0x00007FFCDF930000-0x00007FFCDFB25000-memory.dmp