Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 23:41

General

  • Target

    61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm

  • Size

    26KB

  • MD5

    61e6f38067875e1f33a0de5d254fe760

  • SHA1

    d120eca6ea1d747eb3d47b002e79da6cc5e8e75e

  • SHA256

    cd6e4e4e97397afabb09c2a3c68596f677a79c01a3f253e4e4e1b6df7e877cf4

  • SHA512

    9848d7440018afc85836969f15702edbf6d14634d3d5d150c7b8a062aece48df51eee42dece28111d66281a2a85f61bc0373bc9db99acb0d662271be8a28c5ff

  • SSDEEP

    384:S9kyibqUyTMfXUP4U5qLtmscc5Lkds9x/fDC788N8Hiz7X13CpB25GrbdfU3fCkO:oT5iTkds9hfs8zH+7X13CFfUKkO

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm"
    1⤵
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2740

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C49C13E8-CEE3-4D8A-96F7-24FB7F2D4D75}.FSD

      Filesize

      128KB

      MD5

      b828329ea4d3a0ef1c85f0def202b162

      SHA1

      ee42d0f6cd05b5eed81d4130e5aabef6cec6d46d

      SHA256

      10f52e1fbf53166ff2fa879894ad1b4b6a3bba39788992992f0a427aedb3557b

      SHA512

      3ee04e494885b2177b9f0fef4721f83a897bc081371d05b7d43ef7b70d089eec2f5fdd288992f24e88b001a4cc93bbb30bda8ae47aa56ea36fb53edea49ff925

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      4e322f0b25520194939546564760db47

      SHA1

      cc504e76c79540ed857eacbe66090b928a843bf4

      SHA256

      e8306695416b3b817721c7bf32c0897caa477c3c7bf7223766dfe15c10ce009f

      SHA512

      a00255612a86b37f5ed691a4cba417897fb6128411c2ecad8e9e4afb1184e5a5597eb2fb8682586d85d7f73058404e6b8bfa102ce6250a8602280d37590226d7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      836a5845d0cd9f2ed15dbc8368e3ed63

      SHA1

      5a352865e418052c644bac611f9c43cc81c6dc58

      SHA256

      1f17ca0f856c5b770b0ed0d5edefa00ccd78a374a9d3dd7c026a8d4278cf4d1e

      SHA512

      8d2f3c90cc85af71d335a0f4e653ef2839ec5f49603d830eacbfa07111d27e6b792be6c108466ff4ee68d3e7d302b7f3b64eb51398902aadade69d62594ab492

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4A8CB67B-869B-46A7-9CED-A40F0F9604D5}.FSD

      Filesize

      128KB

      MD5

      0cde3d36e61eeab63ed79e8c27448d15

      SHA1

      45bedac99c8c630d53b6dca8d9f66519f9a86513

      SHA256

      b676267fdd14f140667a9a52bd8b2638019b451d7b024aee4d1cdd5d47348fca

      SHA512

      0f03f2366a480d781ca3c451b0ff41378bdea14e9d7cfda1497f6c67694724ccfeb1109d15e45143f5acf74990a6a000d511f9fc87901ace6d248df67ceaca5f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\2lording[1].htm

      Filesize

      5KB

      MD5

      70332dd29d38db5ea36163ce9052b5c7

      SHA1

      edb694b558edbaafafc0f83dc8ec0f44ca834ae1

      SHA256

      dbb43e7ee60b955ebb162ec6e0988d95a915cf917233df4e3801e55a275c00b7

      SHA512

      5af05e19a722273eee9922dd528714f6e34e6d368349f15751b177cc5b171ebc031f0e8ad33a7ad5ae87b7993486b8fe0bda6fd788011cb4de260a940cc467a9

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB416F9B.emf

      Filesize

      40KB

      MD5

      802331c694264c39a2dfbc01198660c6

      SHA1

      1ac9666f59771d35ba57b18c04d8cc9a9c0b45f1

      SHA256

      4be8acc2702368bce2114132570119de36effc55f937e53b4d04598d609174bc

      SHA512

      2327341454f22b7157480ed0b40123e998048317a634fe326734b4634c4a87493c060c7d6b478719b817712be65a4e5f7fa8c860da7a3125e08fd7098a2a1f38

    • C:\Users\Admin\AppData\Local\Temp\{EF0CF927-537C-412A-AEE5-8A52C47BF5D1}

      Filesize

      128KB

      MD5

      5da0e69019f74dbe9a66e6e1e305e708

      SHA1

      0f4423b419a74ec09a6ca3f6aba72c6683e1c205

      SHA256

      f83470181ca6169d02a9ea3186781ff9d1304295ff73809562ce912c5eb86091

      SHA512

      a23549d91556110bade0cf4bbe5987f9f507682b0a05fd10fcec45a4ad3bf4ce85fd119f340a279a86fb5364ee9233656394911b87f91103e3d393e90fc46a2f

    • memory/2120-0-0x000000002FCD1000-0x000000002FCD2000-memory.dmp

      Filesize

      4KB

    • memory/2120-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2120-2-0x000000007172D000-0x0000000071738000-memory.dmp

      Filesize

      44KB

    • memory/2120-102-0x000000007172D000-0x0000000071738000-memory.dmp

      Filesize

      44KB