Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 15:24

General

  • Target

    68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc

  • Size

    204KB

  • MD5

    68200a45478b22badfd8d4b28e391c46

  • SHA1

    6561cf457dc56355a8680957778cb52f3a8afd18

  • SHA256

    ab8f3de244826eb9113aa788511bed8d9a2675a6e672f58c8bac8160d76fdc6d

  • SHA512

    a61924cf7f7a92617f2e9b3eefb67ec36df6125393272a88c63cb95812d000192947d5505fe60b9aa7b3508d13f28da53bb3da51bd5e4ac79393536466c4cc4a

  • SSDEEP

    1536:MtPrT8wrLT0NeXxz1DweTHrTPxyP5J8b5z2Lk3tl2lvli8+7XG6QKt42+w:M2w3keXxz1Dfnc+M0OvlibX3QJ2+w

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2860
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:480
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1620
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1812
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d3f885abc72f860c32fb9bebd3c70672

      SHA1

      b5817997ec7760d9ec8280eaaf994353b7989ee9

      SHA256

      11e9079b19adc92d727dc16176040ae7ebf4514ef34f78f9bd2eb2484f0dfdf0

      SHA512

      4fae61e8be4b11ef4218524528ba0b87e0d3d9a4b2d5078a63353eff32ba7ecd3783b17b3d8c3f6fa3573494b2f74fad772dae7cf46efb106504b8a85eeea23a

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{19AB6FF0-D8D3-462E-BE84-860F4AE7657C}.FSD

      Filesize

      128KB

      MD5

      4482d186ba2b2644c4b0ce189a7decae

      SHA1

      6489928e9d7b3f4ac044618f3ce71ce348b2985a

      SHA256

      bb38668b66df2f4ad4a292b119fe8e3a92ea75e5579f1ffe2b14394d421141cf

      SHA512

      d9070f1be9d1271a92247e59dd2ded0b0598a9ede38df08f20fc0276b41b78858f3afafb21f9d696796c004245250995f1bf11b36f898042fe2c411e9aaaa009

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      1a9dcecbc3026193dead147a55a7bfcb

      SHA1

      c8112d8fd3f3c9e37ed17c4f7ef3c9b261137023

      SHA256

      13d466b3bab67a808b97bae86123c28bc4d222d7b12c720eea2afff31b8e825f

      SHA512

      ab0b34dc102113d38bd76eb1bbc9b56e79b1e6c1b10932bc95f06adc7623899f27b7df1f50ec82803023fdead1fee82e9f927b64508535edbdf240d0726ed4ff

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      4d1276aa5ebdaf6f02842db6e6479be8

      SHA1

      e77c9bfbd53c56266cdd5d038d159c4feb748bb2

      SHA256

      c6fa7e93680f898a87d6bdd03f390cd17416279efd01cbf012a4654761dc40db

      SHA512

      4e80d99dd5a92dd8a853e6785c63175b77553639d6d2c8c7b65af5b14b6460e9f281fb5aa274b9e2bfe9693585e95bf62f52bb862b30277ae28913ef00f45a05

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7ca98572a6f2f04116ec7b11bd93ba26

      SHA1

      405d78c6201972fa223cda062737913a7ee9e603

      SHA256

      6569d1a5469897ce66ae1fd80155a5fd96bafbc08cac0986b1bead3ecb6549cf

      SHA512

      7ca3c191a055fd29f08053009c799a9f5d7bd1d9c10a64ba32d0adbcfb4e2167ea80cffdf20b8e2e5de0ad289d16fc4a68725a265d53985ee81177a9cfca55f6

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{076881CC-F3DB-464F-9D16-38B705C85CC3}.FSD

      Filesize

      128KB

      MD5

      cc204557d4ee1b615983cb6e576ae8f0

      SHA1

      2707ba4b609368a767aa80b2626b1176a2ef2488

      SHA256

      6aeb2ce36fcb9eb88b4cd28a2327f5a807660a2725afa2357c1c3d5a595eceac

      SHA512

      2eb5166cb73293ccf75b86ef331598c58cca9129090d2ce02246124160270b14b1e4f900ea5728ae3153e86bb418fa165e2e3a57c853e25f5f7d3aa777d8d38a

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{076881CC-F3DB-464F-9D16-38B705C85CC3}.FSD

      Filesize

      128KB

      MD5

      c5d71b1909eab046a65743543e08fbd0

      SHA1

      065287a7a4937192e2a00ff3b41fc5e0086841b9

      SHA256

      657a66f9989d64f8f96c789537643304c8ce908361c57d5104ef31413d860e83

      SHA512

      3c936ed7b03233e1642df9fa685d06516a2777afa5d2963f691816e28f203909068b665db7f2d30f7cd85e054f33e4ef99364944fc7f3b177c1398e3064df363

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      166618abf00ed7412f0c18838e8d332a

      SHA1

      c6fc4668f2c0fb5beb6792a113cda51cd27d8245

      SHA256

      f88b6014f8fdbc3253ae86c0294ce3e7daac5fe16877f73d966a8f805dd6559b

      SHA512

      a8795a912e4fe6e089b95580215f300bc86571c9c795687469826016ba8c910506bffa9f8dca2bbd3fbba5fa16e12f289d68a970944293820303b32c2c29ae3e

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      7b4662090c5eb7b77dac9dc8fae10f37

      SHA1

      3dcdc7f32adb5cb7307e171efc0d20afeb8b67d8

      SHA256

      fac88b46d55876332235faf70ca36c225d93898a54535c3cedf8bbd16273ae1f

      SHA512

      f1e2b63b58bc9ecc483facf845d9af7c05d7a448ad75e858a8548ea87439371446bf45025fef5c59a9567a616ac91fe4bbea0d507cb395312f14cc43c4e61cb1

    • C:\Users\Admin\AppData\Local\Temp\{BA9E65FC-74A1-4C40-8CB9-AF1762EE8212}

      Filesize

      128KB

      MD5

      72d0d6767bfcfd5fbe5e9d82b365a4d6

      SHA1

      d58bc76608fbc5ff1174ee3edc4bba15c0a2350d

      SHA256

      0138bdb856dc808ccd36512c02d9b9a132b91dd1d1a752522ddaebaef7d3d923

      SHA512

      b8ad01112083be6f11b9014af477f7f148310c438de3d2ad5d42f8f1f6e6dcd7fd5fbe66ddd3736540e0fd7c925e094338b097bb7483e4b580a2758a02b731de

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      250B

      MD5

      21b61b29c5e38fde8e95acc5f8fae150

      SHA1

      ec8b5f938c2691c21972f95dff25fbb44e15515f

      SHA256

      f7fbda689e859586b2335f1d67075075a62576850d12069325cb0bc46a90e86c

      SHA512

      23c0ebb8b3d4b303d45796a2a68ea9edc20118b79263e81d47b5e872bca8a42fe52a7c1f9c00cd202b701fc6a8245786dacdbe35c56e82eaa07b518afa2f6dff

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      8ff4cb33a66ec643fd49d7e56b658cbb

      SHA1

      4b893757c1357d906ad3003491f64f220718bf5b

      SHA256

      3289a86236b18343716828f22c1cea59425978207927e92b2b790cc34f993e6e

      SHA512

      bb8333dd97c2895dc1f0d79b6b676191145cc027832b5f66686e31c7af5b889fe2c171c0252c499045c7df306f5c15ac60d22b12ede5e6fad5ab34e876e30462

    • memory/480-1014-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1620-1029-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1390-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1031-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1495-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1077-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1146-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1242-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1194-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1291-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1033-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1339-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1438-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1034-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1030-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1620-1032-0x0000000000240000-0x0000000000340000-memory.dmp

      Filesize

      1024KB

    • memory/1824-55-0x0000000004960000-0x0000000004A60000-memory.dmp

      Filesize

      1024KB

    • memory/1824-5-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

      Filesize

      44KB

    • memory/1824-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

      Filesize

      44KB

    • memory/1824-0-0x000000002F491000-0x000000002F492000-memory.dmp

      Filesize

      4KB

    • memory/1824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB