Malware Analysis Report

2025-01-22 19:16

Sample ID 240721-3ra75a1ble
Target 61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118
SHA256 8c5e85388c0223493a99740ef1c89b051f969bff20b51e25b7be4c92057c42bd
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8c5e85388c0223493a99740ef1c89b051f969bff20b51e25b7be4c92057c42bd

Threat Level: Likely malicious

The file 61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 23:44

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 23:44

Reported

2024-07-21 23:46

Platform

win7-20240705-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls

Signatures

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls

Network

N/A

Files

memory/2660-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2660-1-0x000000007249D000-0x00000000724A8000-memory.dmp

memory/2660-10-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

memory/2660-11-0x000000007249D000-0x00000000724A8000-memory.dmp

memory/2660-12-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

memory/2660-17-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

memory/2660-18-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

memory/2660-19-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

memory/2660-20-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 23:44

Reported

2024-07-21 23:46

Platform

win10v2004-20240709-en

Max time kernel

116s

Max time network

132s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61e9024c8020e1d76b1d378b2c713f39_JaffaCakes118.xls"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/856-0-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/856-2-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/856-1-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/856-3-0x00007FFBF190D000-0x00007FFBF190E000-memory.dmp

memory/856-4-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/856-5-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/856-8-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-10-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-11-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-9-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-12-0x00007FFBAF230000-0x00007FFBAF240000-memory.dmp

memory/856-7-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-6-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-13-0x00007FFBAF230000-0x00007FFBAF240000-memory.dmp

memory/856-14-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-16-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-17-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-15-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-44-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 14a510213402e2f7e6f0e0ff54038aa3
SHA1 759fd331dda1715ab55611b6761ab4743eca3b8d
SHA256 88b4257992c2b50939f0e830fd3fb6dfce5001d7ac27a421c1bdb67f87c05d2e
SHA512 10f8c927009f067e9d88929affe890e20aee3a914bfd4e8dff0d1cf6df7ea5151597a3bbf18749f48e5a0c872e9634f74246d59cb04fae290766dc8322543aec

memory/856-56-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-73-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

memory/856-83-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C13CAC9-56B9-4C50-A91C-DD599925C15D

MD5 a04913eabf787bb12998da13056e522d
SHA1 fe83d5244fb41103fc469e41ed28184fcb857484
SHA256 647442a6946ee43a21f25c95fc5901bdd69173eadbbbff6d0542f588266126a7
SHA512 a8cc1ae6fec9018dfd27c5cd14baadb97f920af5f136470c0ba9c53f967f0762123584dd1ba3aeefb668a60f6e8816e393bc5e398eeaf5e3c298464fda42a3dd

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 01e2da6e251f229896bcc51cb8039510
SHA1 f04e160b793784d2fff8f7b90562fcaf6cf19200
SHA256 d76f76c618b8bfdfa4d844b08cb1bc69d70e4b0c9238666bd71f15a9bb9ea0ee
SHA512 0382224692faf5fd4ab9faed7899c27daf31926995677f9bcc0b1ace2f0d85b0bb66dc6b7090e08810b6d66d4b1673603f2246a57c5efc55b04ad71775da03e9

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 7af03b98552668f9729929341f836b98
SHA1 c9385b1579802a5e2d12264ee9c98eb31c0d5f4d
SHA256 ef3f6001754cf727bbecc4f1855b496cb7d04de9e30a5bacc6fbff5902021e19
SHA512 4b9e0d16b0cd6a2fcae776928eb46d28cae1ed3d96ea75e724e49f771ea4790e25759bfa1ce6d15787889b59dbda9698bbb43df872bb6a7aa80d4addec6157b3

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 d2bfdd1833b9f6d5d200509296a936ad
SHA1 1b13f78b69a2fa7387a57ef0a6eedd9c95fc566a
SHA256 4fb81117fa02b817263e9830f50293669fa9ce269734cf2f4d632c9a3003737d
SHA512 4f39d0032a81762ddac10ae622ddc4e3310fb504228ba774b09dd99ad5d1542679c4bb1509151fd09466bfa38fc643eaf04f2eca309d68e1fa3d6d8f75bf2d7c

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 3958cbe29bfb90e34e8e983fa4d2189a
SHA1 1dde06e4a63dba5b1ab53254829ce8bf2f34dc9b
SHA256 a894c3e0206bd210985431f19a097541215b97f69f83704dde0f555b17f34d67
SHA512 e570a197ff3996e5e83d4832a202a74a035d9b0ac6cd84a49239e90c44a540af8c4f1d712492ebd0049a481b73131ddf9bdce388c9120ad733a187c488cf4e3b

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 0ef85bfebd184e60c19d3b6ddf6f5fc1
SHA1 686505a0c1177b5195dfb189a0cdf60ddbe18533
SHA256 80bffaa7c30150dc54d9ded8128e59223ca1b1cfb2fef42f7206e47f533b858e
SHA512 306085b8c5a194a684a1a2867c11ebc04735b3b19b994acf60c1ae00e01cbb046f1272a0f018db274d3c27a419076a396a50b4d931d532cb67319fc93aaaefbf

memory/2588-173-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/2588-174-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/2588-175-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

memory/2588-172-0x00007FFBB18F0000-0x00007FFBB1900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 1d1442c2a80852f71c43338a2b650650
SHA1 1bd6e495ad9bf1f1381fb1d6ae6d7ffb9aebac3b
SHA256 7ea48a7312ffa07fc0ea61e9fb5199d20bba0fa1cc69fd54744294d33e4b911b
SHA512 e10d88eb828c13fea8a41cc6384e2a34fa9d95b20c76027dd951edac81b3cccdee79bdf6bc2b0ac38b165aec544fdb69d71ed1088aa8a4e630a45b858776ac7d

memory/856-184-0x00007FFBF1870000-0x00007FFBF1A65000-memory.dmp