Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 10:19
Behavioral task
behavioral1
Sample
6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc
-
Size
242KB
-
MD5
6b3ba1a762d6a13f6853fb49adf7f14f
-
SHA1
e4e0f1400b542fe7f649825b742a5430c34f37dd
-
SHA256
499e30e340b15034ae82b1fb243aca0400db9372f3fcd645a295ff93b1cd76c9
-
SHA512
175e249401665d6d2e723fb2a04548cef69ee2b39e637d594a0c406a6a89dadb6ccd5332546322e7ca6c06621fd8eff4698e533c86a56501a4c45a42502b8947
-
SSDEEP
3072:8Ow0pklIiuq73/IKBdsVYdSctF6kXiG/pd:8O5pklIo73wA/UMF6k7pd
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?3b0JBVkvWuHBNzmA0DDuwJ3557w2VtSb:F9567120 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11}\2.0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D42F641-DD4F-49ED-BC99-92498B08EE11}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2560 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2560 WINWORD.EXE 2560 WINWORD.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2408 2560 WINWORD.EXE 31 PID 2560 wrote to memory of 2408 2560 WINWORD.EXE 31 PID 2560 wrote to memory of 2408 2560 WINWORD.EXE 31 PID 2560 wrote to memory of 2408 2560 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6b3ba1a762d6a13f6853fb49adf7f14f_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{937ABE22-CA99-483F-B20F-0C6EB73D6301}.FSD
Filesize128KB
MD525869e1602cc099900ea9671996310ce
SHA112b2ae876e285653ec593312a3baf21b734b4277
SHA256224e654403bef635ab5d574f4152d00cd6295219f61620a956f0ad796ee1c43d
SHA51264ae39bcade4eb9e1e652699b226f76751aaa5d687f249a5999f6420362186517db6bd59f0b8ef78e936b41d646309bab9a8a4088fc60fdb7b64b73f53ebcb18
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5fa3d8ba512b300f882727187e3cea9e4
SHA108f51d014a197be938a9de389061d70699ccde36
SHA2568d599e5341686832befe157972f6ab3668e8ebca096edf8ad3e648bf474a33ea
SHA5122a142ca3f7ff7cb6269b5c510d42bc890968aa8a99e9531298bcfdde650bcc77c83b0305d031af4021d55979e060aa3755d1080a7d185e62341bfbd408098f4d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F776081B-4FF7-4B9C-88FE-C7440072CE6D}.FSD
Filesize128KB
MD5e15e6fd97d0d51497c66cf43bd6f9df6
SHA1c52128e73aeb342f18094e07ebdb5d825e8f025a
SHA256dafd03195431ad48aa44f2b6c6064233c8a074b2e3c1efcd557cda2f3333f44f
SHA5128801eeee7b061e90eb4618b25611b6e43f7741476675bb0fb0f2ab30d289a362da1046bf7e2f167446f52f3eb72906932016e3272d61afbcaac81c3d8bafe2df
-
Filesize
128KB
MD5b4e37fcfedcce5bcdaf3e57d9b825eef
SHA130f55c04a133c3d1ef7ea7ca7f79bd0d383367d9
SHA256b223f6e95eb2d19361074a3a5f270ca1cedfae8d9b77c69a85056684d6dc7591
SHA512a5c09a79713a8393344e1609e40c476aa2a6835ea4d8869baff1c40a9d4b8f591d84c716b9cc91d46c956e36190975a8f7421befb34e1df33d87b506f46d5a79
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84