c6450238b8d31d193cf66d19fc54e598bae95ea43d4d0b71854fd72c46af1e16

Analysis

max time kernel
102s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc
Size

82KB
MD5

69924bcb5029826f6f64b54c66f67e4f
SHA1

70b15f249f52304494a40a3b5c66144297e1b194
SHA256

c6450238b8d31d193cf66d19fc54e598bae95ea43d4d0b71854fd72c46af1e16
SHA512

6766a5e4b0f93ad0f1c0ae0ed2d3d8d763ed87d62ec2141ac46c29d6f60462a633ba78587e708365155867d767e38ae39285634a68170df3ce895297e53ba033
SSDEEP

768:L1/pInbeZ/d7dkTgrh3fZMnZSV0DK6xHqGp/xRS:ziehnZMsf6HD

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1996	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1996	WINWORD.EXE
1996	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 840	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 840	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 840	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 840	1996	WINWORD.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
29KB

MD5
12184d8b26a04f2c9de2bb49e0d20f30

SHA1
1c31fb6fcb16cde94fa991a8d19d808f0c57a461

SHA256
5c024b8054308d76d35b13602060ab2c0f7768a4744e76a5af11edb25bcac340

SHA512
b024df4b631ed481ac4e3b76c857b0bab3ca7b5a6025a4c8665bf5da5e33450dfad33abae66cfad95d2e24309d35de2b818b3403ac5a4c98ccb240d5f8d3e4fe

Download Submit
memory/1996-0-0x000000002FD61000-0x000000002FD62000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/1996-5-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/1996-6-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/1996-7-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/1996-8-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/1996-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download