Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm
Resource
win10v2004-20240709-en
General
-
Target
61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm
-
Size
26KB
-
MD5
61e6f38067875e1f33a0de5d254fe760
-
SHA1
d120eca6ea1d747eb3d47b002e79da6cc5e8e75e
-
SHA256
cd6e4e4e97397afabb09c2a3c68596f677a79c01a3f253e4e4e1b6df7e877cf4
-
SHA512
9848d7440018afc85836969f15702edbf6d14634d3d5d150c7b8a062aece48df51eee42dece28111d66281a2a85f61bc0373bc9db99acb0d662271be8a28c5ff
-
SSDEEP
384:S9kyibqUyTMfXUP4U5qLtmscc5Lkds9x/fDC788N8Hiz7X13CpB25GrbdfU3fCkO:oT5iTkds9hfs8zH+7X13CFfUKkO
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\2lording WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2120 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2120 WINWORD.EXE 2120 WINWORD.EXE 2120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2740 2120 WINWORD.EXE 33 PID 2120 wrote to memory of 2740 2120 WINWORD.EXE 33 PID 2120 wrote to memory of 2740 2120 WINWORD.EXE 33 PID 2120 wrote to memory of 2740 2120 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\61e6f38067875e1f33a0de5d254fe760_JaffaCakes118.docm"1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2740
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C49C13E8-CEE3-4D8A-96F7-24FB7F2D4D75}.FSD
Filesize128KB
MD5b828329ea4d3a0ef1c85f0def202b162
SHA1ee42d0f6cd05b5eed81d4130e5aabef6cec6d46d
SHA25610f52e1fbf53166ff2fa879894ad1b4b6a3bba39788992992f0a427aedb3557b
SHA5123ee04e494885b2177b9f0fef4721f83a897bc081371d05b7d43ef7b70d089eec2f5fdd288992f24e88b001a4cc93bbb30bda8ae47aa56ea36fb53edea49ff925
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD54e322f0b25520194939546564760db47
SHA1cc504e76c79540ed857eacbe66090b928a843bf4
SHA256e8306695416b3b817721c7bf32c0897caa477c3c7bf7223766dfe15c10ce009f
SHA512a00255612a86b37f5ed691a4cba417897fb6128411c2ecad8e9e4afb1184e5a5597eb2fb8682586d85d7f73058404e6b8bfa102ce6250a8602280d37590226d7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5836a5845d0cd9f2ed15dbc8368e3ed63
SHA15a352865e418052c644bac611f9c43cc81c6dc58
SHA2561f17ca0f856c5b770b0ed0d5edefa00ccd78a374a9d3dd7c026a8d4278cf4d1e
SHA5128d2f3c90cc85af71d335a0f4e653ef2839ec5f49603d830eacbfa07111d27e6b792be6c108466ff4ee68d3e7d302b7f3b64eb51398902aadade69d62594ab492
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4A8CB67B-869B-46A7-9CED-A40F0F9604D5}.FSD
Filesize128KB
MD50cde3d36e61eeab63ed79e8c27448d15
SHA145bedac99c8c630d53b6dca8d9f66519f9a86513
SHA256b676267fdd14f140667a9a52bd8b2638019b451d7b024aee4d1cdd5d47348fca
SHA5120f03f2366a480d781ca3c451b0ff41378bdea14e9d7cfda1497f6c67694724ccfeb1109d15e45143f5acf74990a6a000d511f9fc87901ace6d248df67ceaca5f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\2lording[1].htm
Filesize5KB
MD570332dd29d38db5ea36163ce9052b5c7
SHA1edb694b558edbaafafc0f83dc8ec0f44ca834ae1
SHA256dbb43e7ee60b955ebb162ec6e0988d95a915cf917233df4e3801e55a275c00b7
SHA5125af05e19a722273eee9922dd528714f6e34e6d368349f15751b177cc5b171ebc031f0e8ad33a7ad5ae87b7993486b8fe0bda6fd788011cb4de260a940cc467a9
-
Filesize
40KB
MD5802331c694264c39a2dfbc01198660c6
SHA11ac9666f59771d35ba57b18c04d8cc9a9c0b45f1
SHA2564be8acc2702368bce2114132570119de36effc55f937e53b4d04598d609174bc
SHA5122327341454f22b7157480ed0b40123e998048317a634fe326734b4634c4a87493c060c7d6b478719b817712be65a4e5f7fa8c860da7a3125e08fd7098a2a1f38
-
Filesize
128KB
MD55da0e69019f74dbe9a66e6e1e305e708
SHA10f4423b419a74ec09a6ca3f6aba72c6683e1c205
SHA256f83470181ca6169d02a9ea3186781ff9d1304295ff73809562ce912c5eb86091
SHA512a23549d91556110bade0cf4bbe5987f9f507682b0a05fd10fcec45a4ad3bf4ce85fd119f340a279a86fb5364ee9233656394911b87f91103e3d393e90fc46a2f