Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 04:57

General

  • Target

    6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    6a51e95ee504da80a3aee41ac5b72946

  • SHA1

    83c5d9346cc3ec0172cbcb4c6d565c2ac16e3ea0

  • SHA256

    523a015e5c32f58ffde514145402e3bd4487e72aba937cfcea78b50857e6075d

  • SHA512

    722bcc3e604724db4d1fe4ee1a154772127aff709fc09035adf43f33f23ca7bc2ce575b47829fa57f7fa51a1ed6bbf36fbdcd040c6327154d3f60759482e1ad2

  • SSDEEP

    3072:hvw9HXPJguq73/IKBWyhAdSc8hvTXZ/UWTPHZ:hvKHXPJi73wAkUBj5bPHZ

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2892
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:3052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d2bc3fde3bb5a54d76770875c4c3986b

      SHA1

      7ee1b31b4e14d3988f6280a1942d1008a4737e48

      SHA256

      4dd6c5f523d67082578936818c18d18884fbe0e0345f46074904095a79a6e0bd

      SHA512

      89c577d4d080abcf999f1e4f604ea1b61c32c309de3e5ce005872dd9305c1170701348e8a8fba5317f8033db71dda61f8d71d7bfc66f892dd69900807b16489e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      db3986d8c9750a655026226a68baa8eb

      SHA1

      d380daf62c514474d801c744a58d92a29fd4460b

      SHA256

      59824508eb81950d2ad4ea3100905b362f51aa9b701fba060054a5dd93a63334

      SHA512

      361d0106cef3e49f18d0fdebfa40f84c708e39acdb329b57658c60f3e41a97b405ef234dca1462916da00549020f38825e8017952aca7f15ea71a95852768f98

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AE2A7B16-B505-46AF-A1C2-FF4BAAA7F130}.FSD

      Filesize

      128KB

      MD5

      b0075a511e6373d30634571df52da083

      SHA1

      e58f6172974c52341e1985884a97ba193006fc1d

      SHA256

      06bb616eef1b4e3b9e2d9d7303f781522a20602671047ae107f3de61085b9613

      SHA512

      16e380ad36cd2fe96155e8254138a93df7f01f41b370ed7648c5091359c840b4d4413a2fe3fb1f6731aaa59bfc1a27faa365ca2395bbb78bab827c0d1d90045d

    • C:\Users\Admin\AppData\Local\Temp\{F22E454B-6546-401A-A8E6-B9391DEA7B1A}

      Filesize

      128KB

      MD5

      7f6952ec9af37e9286dfd8e38204616d

      SHA1

      57ef33135b96b1e47ab9e98ac0330b6efc49a057

      SHA256

      91aebd0ff6f92ae3b1c21f70231d8980ef26773a2b1f2caef12a7b3f0e62b361

      SHA512

      66f520f6cc7a2fa38d8714e640c78b27a691257cd4c527675987cb079cbb9ff17490327306b63c60d4a4102f8645f16a7e8301f375886769c762532cf3f68822

    • memory/3016-0-0x000000002F971000-0x000000002F972000-memory.dmp

      Filesize

      4KB

    • memory/3016-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3016-2-0x000000007142D000-0x0000000071438000-memory.dmp

      Filesize

      44KB

    • memory/3016-9-0x000000007142D000-0x0000000071438000-memory.dmp

      Filesize

      44KB

    • memory/3016-11-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-13-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-12-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-19-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-57-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-61-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-60-0x000000000F770000-0x000000000F870000-memory.dmp

      Filesize

      1024KB

    • memory/3016-59-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-56-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-55-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-54-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-53-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-52-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-51-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-49-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-48-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-47-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-46-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-44-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-43-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-42-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-41-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-40-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-39-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-37-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-35-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-32-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-31-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-30-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-29-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-58-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-27-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-26-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-25-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-24-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-23-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-22-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-20-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-18-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-17-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-16-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-15-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-14-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-50-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-45-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-38-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-36-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-34-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-33-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-28-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-21-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-515-0x00000000003B0000-0x00000000004B0000-memory.dmp

      Filesize

      1024KB

    • memory/3016-516-0x000000000F770000-0x000000000F870000-memory.dmp

      Filesize

      1024KB