Malware Analysis Report

2025-01-22 19:08

Sample ID 240723-lhsblsyeqd
Target 6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118
SHA256 9ae7d3838afcb4c79b2886cc51dd7600174234603c9008a096c11babd2ed62af
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9ae7d3838afcb4c79b2886cc51dd7600174234603c9008a096c11babd2ed62af

Threat Level: Likely malicious

The file 6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 09:32

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 09:32

Reported

2024-07-23 10:08

Platform

win10v2004-20240704-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.41:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 41.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1000-0-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-1-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-4-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-3-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-2-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-6-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-5-0x00007FFEA21ED000-0x00007FFEA21EE000-memory.dmp

memory/1000-7-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-8-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-9-0x00007FFE5FFB0000-0x00007FFE5FFC0000-memory.dmp

memory/1000-10-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-11-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-12-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-13-0x00007FFE5FFB0000-0x00007FFE5FFC0000-memory.dmp

memory/1000-16-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-17-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-20-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-23-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-22-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-21-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-19-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-18-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-15-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-14-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/1000-300-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-302-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-301-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-312-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-325-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-324-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-322-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-323-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-326-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

memory/1000-559-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4A5FAB49-EB8B-49FD-B759-5AB909F036B7

MD5 8bc898b3b019bb29293fb61367154623
SHA1 1bb1ad3e1747de73473f0f93c53f9625a71c3f8c
SHA256 c6cf5b69e36bdfd81a6ddec328faef61163cb601ad50e5bb77ce2d814dd93997
SHA512 60f4afcdbf6a60fbe390a0530f50151c717cf6ea093a182ad9b87ad3cc6c042543df1db954b3bf2d1d67809781b3c0c4590903cc8c5f2206ae71510e2223f43c

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 4089d216220241f859653bb67a22311e
SHA1 002028209474b70570d6eb119417b0a26880ddcb
SHA256 9d1f2b817419d3e3835803682bc685b2b8bccfa069ee7d3ee8fc7089275648ab
SHA512 9a443d526731d84f3e650a9782744baabe5e13baddb059ce1ed58941864385f4361c543e08259cfd6640452dd638e8c23c31343cded7c5fab560debec5b94d4f

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 2f69e62fb5f409732c3c511c2cb2445d
SHA1 b6cf73319dd5d351614359dcd256d6a9906b0120
SHA256 cf97072642e6470aada58992e6746cb27beca90cafc89fc4e18af18ad65c7dce
SHA512 5edee7ade69dbf53183cde758ce83bdd492360b076e0a1fbfcd74585f91a10503d9f49f5061603778b43a614f833abe03de389f13e384cfb21359aba2fe3b845

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 edb73b62e6cdf4f713f81f24a5747fb3
SHA1 8a5586e86908534820c79fb7d1f3bce6bc21df58
SHA256 cfd12db8d5e5cfa3fd4ba2ba47c9a1cf018fc58e6af5b7e4fd8a670419fd0749
SHA512 513d9e7f072a857da9bc3137c1912faa5d0a9b0a7d7512d426be10e49df4cb1acaa00943456f6cd8f9d5e097e8d430e8c9f856c536b03bf08e90e162daf267ee

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 db9b614064eddffa13cfc83bfec531a0
SHA1 50b3b4369ed2875d6a0ac51ae9b09238fef270c4
SHA256 de59f50a4df9017c39e5b9306a172643c407a1db534c0ab27bdce489295f4512
SHA512 b4bd571fc2a61594cce43d4b9176cd3d3fb9760ac38cbbb8a96a281158ae1791357a4b90d03525f37faac24eae1fbd8ef40755203143e9203ae0a72daab8b9b9

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 267c63347d18351e16ff53f72407708e
SHA1 0bde32c60caff3e3a9c8ed6ed823c179e71e3067
SHA256 44d2d5f1fcbbdfd15c609d5f1cee5f2fb706aa5d73740bffca0d02c4d0310d05
SHA512 1607ba990b35aea33e5061b44637719430575c0d0ff7af7818399f5c456edfc315ccf828b3bf52bdabb87b5623a55ff09ee14aa01d8c7c827edbc1a2ef168a51

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 134b5d4a84513e5eeb66a38d4d3f82a9
SHA1 2ec0f004224095eaf70c72840c6355b518ec4f63
SHA256 f955542de1f4e77a0035c3d55f923ea3005c677f968b93268c4387aa9f5a38bb
SHA512 b47f7e97b53dfe56852d0889dc0f18542f47f69b1009b78d69ab8c512b79ec25b01fd01cdd22279c2ec54267156bb99417b3bb2a26bed0b4935260a625d8aabb

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 bf58ed661baa142a92d3468f7da2ea2b
SHA1 8e65af0335800a050ddd17210a702b9b242a038c
SHA256 13771d5625595e9acaff2f2062892daacd8e385252f8a9d41d9cf416460afd91
SHA512 8241c2a7dec48c1d7ef3363d12cb4d07b25bf821f71ca8d25370e458a583ce2fd2d7e85eebd344f39e6d125bc73ff5989042658562a195393e0bab356d82c427

memory/1056-2389-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1056-2387-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1056-2388-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1056-2386-0x00007FFE621D0000-0x00007FFE621E0000-memory.dmp

memory/1000-2402-0x00007FFEA2150000-0x00007FFEA2345000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 c25fa00d2d50c763284dc06088a9ce8b
SHA1 ded8a9c797ea71730b30317ee314050503f2a2dc
SHA256 47bc3bd953888b201be49187a14c2e959c2b756b725928c6bb1d9be87ebd9bf5
SHA512 b5b4be49ee0f75afbe48a9d9d3c39feb74d9510d45a5d315d1cdfd52f9f8c0bc1fba633667dff0ec898ba403aa025c5a3d8326e952211953eedc9217496ee526

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 455fde0a67fd79edd039481e4f208306
SHA1 88b2c33d28754a506453f9239139b6236747fc9f
SHA256 c0001bdb34764f3bc3b95ce90368f62619a9a0984655cf98e16adbd076953189
SHA512 c1d478207bad9b731a88bbdfaeefbfa54baad252db746662e8621cfd8803ec6a8b42b975e7546412f713da54aae388df32d9c44b41e5aebee4d0527a89a4bc77

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 09:32

Reported

2024-07-23 10:10

Platform

win7-20240705-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2232-0-0x000000002F4D1000-0x000000002F4D2000-memory.dmp

memory/2232-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2232-2-0x000000007162D000-0x0000000071638000-memory.dmp

memory/2232-5-0x000000007162D000-0x0000000071638000-memory.dmp

memory/2232-16-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-14-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-57-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-56-0x000000000F120000-0x000000000F220000-memory.dmp

memory/2232-55-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-54-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-53-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-52-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-51-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-49-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-48-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-47-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-46-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-45-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-44-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-43-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-42-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-41-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-40-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-39-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-37-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-36-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-35-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-34-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-33-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-32-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-31-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-30-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-29-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-28-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-27-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-26-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-24-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-23-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-21-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-20-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-18-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-17-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-15-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-12-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-71-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-11-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-9-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-8-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-50-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-38-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-25-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-22-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-19-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-13-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-10-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2232-7-0x0000000000470000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{10E0B068-9849-4DB5-825D-09BA3144DCCB}

MD5 9af0c3167a9befd6de6fd9f407a4137d
SHA1 9afdd0b4c815d9703c2cb8b5cfcb0813afc650d8
SHA256 7b69e6866a1ed6212c25a06cc7fde42b8476f470a3728358ad6518e1bf280ef2
SHA512 c9d97f672d213282a76a4d1d7e9f738373fdfdd0e678e16730656fce6b488d743674ae555b029a8a05bc8fa8ee22798ce224307ae309800ff73563319b2c54a1

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3A4E0D09-67A9-4F7B-AD24-A068F3AE81D3}.FSD

MD5 4c834bd5c9416b82e447a896f0e8d36e
SHA1 7000c9ce0b7710abb279a2e4e17f36e57d3f5127
SHA256 873ee7c6d09a11de6f05d5e288717d47d7f95c3c9a71ed2d56bd47304fbd6f17
SHA512 733915be9134282ce9a0a485f3b9913576e62d555c9c37e01ee701c89cb5ccf2fe095a7bf8e33c2ca4a7810e0322197cf99fb417aa06f243fac2ddd416432387

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 2d8470e2aef069b40967a3e6d8f98482
SHA1 42a9521bf5de7a4178c4cd02ef79165982ee7f25
SHA256 55941c93c9d2aa0c3151be4def8b3fd03c34e305cf390d1d37e773ec47fab426
SHA512 1848e565ab3f0053319616ff62fbb5deeba4a7ddb575827aacf71aebbaf361a39090b9a6633543ac05840cae3118ea733a58cda5c5418bd8868681a051835da0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{897B39AB-E705-41A9-86D3-C7705D3DFD6B}.FSD

MD5 7dcf402e6f19beda8af0612fe19601cd
SHA1 f74c24834bbd58bbe385de2c39416ab36c8a629c
SHA256 ad8bfae3c85257a1b3f9e79e6f32e835ce1dad05dbb4acdd8d7b856e49d4e6cb
SHA512 b192c434b3b5726a07237387d18add2a0cbc8296f042116540ca21ef44a754ca80dd1dcf7005a5653a3a5351bce5e5a92d178f711ff19f95958a2414ff8ce486

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ea4970616fbf7cdc45d6b122f4bfc8d6
SHA1 52141380e07b627db7866445ec87499fca618fdb
SHA256 b4ebc66d27245ada4e335c90d081e381c26719f10175ca5a43041a1fe1d78319
SHA512 fa9afca691103d102b871e751e82e2db3aa990a5aa173ec2c6ad1709171aed62714e875b84ed07dbeff8578da7f9f74f41ec6f43adae9b56b9da523895a65f02

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 3d5308ae15741f80fa2fce8a274ad7f0
SHA1 de00cf5cfa5725fb8e182840ab23701b127612ea
SHA256 3e201cb0ae5bd1f25773b33e9e7794e44827eef2f10930a3810fb9371a82f9c6
SHA512 aeb93b7b006dd8297a8c5f1ca09944a62b88a16a2a72f8be3a053322881e59de0c3f38b3a0bd4f2d77e869126040d5052eaba3fac6bddabe0f053dbb20359dec

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3A4E0D09-67A9-4F7B-AD24-A068F3AE81D3}.FSD

MD5 7e403d5d6d505006684101559dd8ac4e
SHA1 240710fc137e4f734843448f81351aaf8996105f
SHA256 911e3f680ee00ec731218dc9e300da7f0d4e089e755ad4eabea425e929a22678
SHA512 2976b658749e0ae2cddd851da5d8250ba82ef3236e52e5df06aacb7993fddfa8d58c4e8c378e68d91d6a161748fa13cd4f5364d0264877ff6b5c56321fee6a0d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 5ac92d5949977be020c873c92c2ecf7a
SHA1 15307d96f3a10688c80925c6bbc3ce7947efff15
SHA256 636bb35936d360d8fc9637f2e7627e1c8c68d04680cbd8e58779747d7301adc1
SHA512 81819eb3078c6fd8328e72f3a1bc310d6430424dab594d695da0ba67ed538c0cbb5ae6c5a7fb3218f0aaa83d802ed96866c79a0046e2012c4681a4a7c529f862

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 fd7d4849a02cd2b593238cd143079ba6
SHA1 b135216d26ca1cc30fced1a153b348dc0f7dae80
SHA256 37e6974ff81e4fe1fcd7ef6f2323c1d5b9427e635caddeb97deff80d3ba193bb
SHA512 1299c15daf157ef868cf7194b6f5b983a1ee2001d814c9e53a3530502572a66977b59049004ec650f2abd7480352b5348ee209818bc8c34c67b0969aba360e58

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 aaf5c3773ec52feb8e371a03a7e576b0
SHA1 6d73faa02f09251e39621b6d7ecbeef4e5cbaadc
SHA256 67fa58420a0284c37e40b4ad50207552a3c5fbd1e04ef43b4785c5d99f74c652
SHA512 49d474d5096ddc4b05b1561f0ce6f875cf8cd3949d795b595bb312fb6bf06ec72d769f85f91979f75d196eb0b223b84066efed7c7f7b5868a2d4f6b4d0a62d62

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{897B39AB-E705-41A9-86D3-C7705D3DFD6B}.FSD

MD5 f90fab8ac95448597d3080526a786366
SHA1 7c6c6420b43544cab012e02b95d5c02aaefe5c9f
SHA256 61cc00ed3d667cf4a89f87f41e97a6d438023ccdb43fb3094f526e5777a69fa2
SHA512 e762b3bcbb6fc79ddc9fc5f968b92e6c2266be4e1f0e6ed8de415ef88f5b8a3e080633ad27b9e8111cbf1ef28f7a3c054289bfdecf5b0dec3e20d4e942c42789