Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 10:19

General

  • Target

    6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    6b3ba1a762d6a13f6853fb49adf7f14f

  • SHA1

    e4e0f1400b542fe7f649825b742a5430c34f37dd

  • SHA256

    499e30e340b15034ae82b1fb243aca0400db9372f3fcd645a295ff93b1cd76c9

  • SHA512

    175e249401665d6d2e723fb2a04548cef69ee2b39e637d594a0c406a6a89dadb6ccd5332546322e7ca6c06621fd8eff4698e533c86a56501a4c45a42502b8947

  • SSDEEP

    3072:8Ow0pklIiuq73/IKBdsVYdSctF6kXiG/pd:8O5pklIo73wA/UMF6k7pd

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2408
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{937ABE22-CA99-483F-B20F-0C6EB73D6301}.FSD

      Filesize

      128KB

      MD5

      25869e1602cc099900ea9671996310ce

      SHA1

      12b2ae876e285653ec593312a3baf21b734b4277

      SHA256

      224e654403bef635ab5d574f4152d00cd6295219f61620a956f0ad796ee1c43d

      SHA512

      64ae39bcade4eb9e1e652699b226f76751aaa5d687f249a5999f6420362186517db6bd59f0b8ef78e936b41d646309bab9a8a4088fc60fdb7b64b73f53ebcb18

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      fa3d8ba512b300f882727187e3cea9e4

      SHA1

      08f51d014a197be938a9de389061d70699ccde36

      SHA256

      8d599e5341686832befe157972f6ab3668e8ebca096edf8ad3e648bf474a33ea

      SHA512

      2a142ca3f7ff7cb6269b5c510d42bc890968aa8a99e9531298bcfdde650bcc77c83b0305d031af4021d55979e060aa3755d1080a7d185e62341bfbd408098f4d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F776081B-4FF7-4B9C-88FE-C7440072CE6D}.FSD

      Filesize

      128KB

      MD5

      e15e6fd97d0d51497c66cf43bd6f9df6

      SHA1

      c52128e73aeb342f18094e07ebdb5d825e8f025a

      SHA256

      dafd03195431ad48aa44f2b6c6064233c8a074b2e3c1efcd557cda2f3333f44f

      SHA512

      8801eeee7b061e90eb4618b25611b6e43f7741476675bb0fb0f2ab30d289a362da1046bf7e2f167446f52f3eb72906932016e3272d61afbcaac81c3d8bafe2df

    • C:\Users\Admin\AppData\Local\Temp\{1766B763-98CC-4062-84FE-8EEADA1ABADB}

      Filesize

      128KB

      MD5

      b4e37fcfedcce5bcdaf3e57d9b825eef

      SHA1

      30f55c04a133c3d1ef7ea7ca7f79bd0d383367d9

      SHA256

      b223f6e95eb2d19361074a3a5f270ca1cedfae8d9b77c69a85056684d6dc7591

      SHA512

      a5c09a79713a8393344e1609e40c476aa2a6835ea4d8869baff1c40a9d4b8f591d84c716b9cc91d46c956e36190975a8f7421befb34e1df33d87b506f46d5a79

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2560-49-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-21-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-46-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-18-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

    • memory/2560-45-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-22-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-66-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-84-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-70-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-69-0x00000000103D0000-0x00000000104D0000-memory.dmp

      Filesize

      1024KB

    • memory/2560-68-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-65-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-64-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-63-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-62-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-61-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-60-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-59-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-58-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-57-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-56-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-55-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-53-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-51-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-44-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-0-0x000000002FF61000-0x000000002FF62000-memory.dmp

      Filesize

      4KB

    • memory/2560-47-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-67-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

      Filesize

      44KB

    • memory/2560-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2560-50-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-43-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-42-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-41-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-39-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-38-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-37-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-36-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-35-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-34-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-33-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-32-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-31-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-30-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-29-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-28-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-27-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-25-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-24-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-23-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-54-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-52-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-48-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-40-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-26-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-20-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-524-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2560-525-0x00000000103D0000-0x00000000104D0000-memory.dmp

      Filesize

      1024KB