Analysis Overview
SHA256
8c5e85388c0223493a99740ef1c89b051f969bff20b51e25b7be4c92057c42bd
Threat Level: Likely malicious
The file 61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
Office loads VBA resources, possible macro or embedded object present
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 23:44
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 23:44
Reported
2024-07-21 23:46
Platform
win7-20240705-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls
Network
Files
memory/2660-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2660-1-0x000000007249D000-0x00000000724A8000-memory.dmp
memory/2660-10-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
memory/2660-11-0x000000007249D000-0x00000000724A8000-memory.dmp
memory/2660-12-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
memory/2660-17-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
memory/2660-18-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
memory/2660-19-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
memory/2660-20-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-21 23:44
Reported
2024-07-21 23:46
Platform
win10v2004-20240709-en
Max time kernel
116s
Max time network
132s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/856-0-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/856-2-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/856-1-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/856-3-0x00007FFBF190D000-0x00007FFBF190E000-memory.dmp
memory/856-4-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/856-5-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/856-8-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-10-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-11-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-9-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-12-0x00007FFBAF230000-0x00007FFBAF240000-memory.dmp
memory/856-7-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-6-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-13-0x00007FFBAF230000-0x00007FFBAF240000-memory.dmp
memory/856-14-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-16-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-17-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-15-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-44-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 14a510213402e2f7e6f0e0ff54038aa3 |
| SHA1 | 759fd331dda1715ab55611b6761ab4743eca3b8d |
| SHA256 | 88b4257992c2b50939f0e830fd3fb6dfce5001d7ac27a421c1bdb67f87c05d2e |
| SHA512 | 10f8c927009f067e9d88929affe890e20aee3a914bfd4e8dff0d1cf6df7ea5151597a3bbf18749f48e5a0c872e9634f74246d59cb04fae290766dc8322543aec |
memory/856-56-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-73-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
memory/856-83-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | edc5bbd89d21bff468e2b1bc6a6cad11 |
| SHA1 | b5a3588cc1c3274357eefae826f9de1876e4def4 |
| SHA256 | 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af |
| SHA512 | 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C13CAC9-56B9-4C50-A91C-DD599925C15D
| MD5 | a04913eabf787bb12998da13056e522d |
| SHA1 | fe83d5244fb41103fc469e41ed28184fcb857484 |
| SHA256 | 647442a6946ee43a21f25c95fc5901bdd69173eadbbbff6d0542f588266126a7 |
| SHA512 | a8cc1ae6fec9018dfd27c5cd14baadb97f920af5f136470c0ba9c53f967f0762123584dd1ba3aeefb668a60f6e8816e393bc5e398eeaf5e3c298464fda42a3dd |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
| MD5 | 01e2da6e251f229896bcc51cb8039510 |
| SHA1 | f04e160b793784d2fff8f7b90562fcaf6cf19200 |
| SHA256 | d76f76c618b8bfdfa4d844b08cb1bc69d70e4b0c9238666bd71f15a9bb9ea0ee |
| SHA512 | 0382224692faf5fd4ab9faed7899c27daf31926995677f9bcc0b1ace2f0d85b0bb66dc6b7090e08810b6d66d4b1673603f2246a57c5efc55b04ad71775da03e9 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
| MD5 | 7af03b98552668f9729929341f836b98 |
| SHA1 | c9385b1579802a5e2d12264ee9c98eb31c0d5f4d |
| SHA256 | ef3f6001754cf727bbecc4f1855b496cb7d04de9e30a5bacc6fbff5902021e19 |
| SHA512 | 4b9e0d16b0cd6a2fcae776928eb46d28cae1ed3d96ea75e724e49f771ea4790e25759bfa1ce6d15787889b59dbda9698bbb43df872bb6a7aa80d4addec6157b3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
| MD5 | d2bfdd1833b9f6d5d200509296a936ad |
| SHA1 | 1b13f78b69a2fa7387a57ef0a6eedd9c95fc566a |
| SHA256 | 4fb81117fa02b817263e9830f50293669fa9ce269734cf2f4d632c9a3003737d |
| SHA512 | 4f39d0032a81762ddac10ae622ddc4e3310fb504228ba774b09dd99ad5d1542679c4bb1509151fd09466bfa38fc643eaf04f2eca309d68e1fa3d6d8f75bf2d7c |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 3958cbe29bfb90e34e8e983fa4d2189a |
| SHA1 | 1dde06e4a63dba5b1ab53254829ce8bf2f34dc9b |
| SHA256 | a894c3e0206bd210985431f19a097541215b97f69f83704dde0f555b17f34d67 |
| SHA512 | e570a197ff3996e5e83d4832a202a74a035d9b0ac6cd84a49239e90c44a540af8c4f1d712492ebd0049a481b73131ddf9bdce388c9120ad733a187c488cf4e3b |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 0ef85bfebd184e60c19d3b6ddf6f5fc1 |
| SHA1 | 686505a0c1177b5195dfb189a0cdf60ddbe18533 |
| SHA256 | 80bffaa7c30150dc54d9ded8128e59223ca1b1cfb2fef42f7206e47f533b858e |
| SHA512 | 306085b8c5a194a684a1a2867c11ebc04735b3b19b994acf60c1ae00e01cbb046f1272a0f018db274d3c27a419076a396a50b4d931d532cb67319fc93aaaefbf |
memory/2588-173-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/2588-174-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/2588-175-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
memory/2588-172-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
| MD5 | 1d1442c2a80852f71c43338a2b650650 |
| SHA1 | 1bd6e495ad9bf1f1381fb1d6ae6d7ffb9aebac3b |
| SHA256 | 7ea48a7312ffa07fc0ea61e9fb5199d20bba0fa1cc69fd54744294d33e4b911b |
| SHA512 | e10d88eb828c13fea8a41cc6384e2a34fa9d95b20c76027dd951edac81b3cccdee79bdf6bc2b0ac38b165aec544fdb69d71ed1088aa8a4e630a45b858776ac7d |
memory/856-184-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp