Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 16:27
Behavioral task
behavioral1
Sample
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
-
Size
44KB
-
MD5
6c2823f90322d1f0f6bccda71490485a
-
SHA1
faecd289e11103cb2c4b3f2ce03933ba348d764a
-
SHA256
a0e4e73ae659b896893702a2f0f2ed251a89103cf2d0fc8235dc4d639f63fe1e
-
SHA512
65d14ad30072f2dda8a0473d096fe76abe76cafc2ff41a6985bfa3ec4c79b080119996b9cc649fef8e158f436decb7e7fde589e5ad6940bd4fee885097957d38
-
SSDEEP
384:lxwHTZzB1vdBmrb3ilC5mijXjfk0t6VV:lcTZB1vdArriA5mYk1
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral1/files/0x0006000000017491-75.dat office_macro_on_action -
Deletes itself 1 IoCs
pid Process 3068 WINWORD.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~WRD0003.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3068 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3068 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3068 WINWORD.EXE 3068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2164 3068 WINWORD.EXE 28 PID 3068 wrote to memory of 2164 3068 WINWORD.EXE 28 PID 3068 wrote to memory of 2164 3068 WINWORD.EXE 28 PID 3068 wrote to memory of 2164 3068 WINWORD.EXE 28
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc"1⤵
- Deletes itself
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD59082281e7655e18e8deb5fcc451c6d86
SHA109134097d3e52470d38d1fd8560846967cade4cd
SHA256e1b326994a0c67396bc86fc1da7d082e76948c12f1ee45b278a0d8945b2d77b3
SHA512fbd5faf1d0fbbfd16abf0a1c1c28c4204d16b0e97f9a00877f837a1c80af62c38ff4cf7b27debf7dda616f837ee1e659080eb280966ec0887876795d522dcb12
-
Filesize
48KB
MD5c8de0ada76bc10dbd1b57272f414eefb
SHA116c9399f254c5e17671ab8ad47bbae5f2f64d2d1
SHA25675b91ce6b4cae2278d1bfb6f7db98fb0864c183db27cceb5e02895e7cb12fbb3
SHA512be3896f61c6bb8f6a4cadd88201cec8ce6df53142821c1989cf4fe7d60a7ec8d2896fc29c9eb06ab993d981bbb8cb823f56257c40d2058b58c3a126467dc9c5c
-
Filesize
25KB
MD5f8d7303608c4e6b43856b8d7ba413ee9
SHA1839a437249f4d56739d712c51679dd794d1dd360
SHA25657e7eada9a9f8e57a4e98a0b47b47045a050ab5c30d483fd60e89399d4fd9d3d
SHA512580d5c5256cbd4d2355d1a676f12aa45515d4d23353398b4f76941aa72daa24a78267fdea937e80004adb9e6bfc4cd0d32e80244ad3b04db69936a439f8fbe07
-
Filesize
27KB
MD5f334899a17299fcf0c2cd92aaca542e9
SHA1f1633cf8aa75c25b0dd56c69b6c62e42a57a09e6
SHA256548aeb4e4fbba4ac9f8a715b851bb9bcdf1bc0a19664480f799b0b8bdef79af2
SHA512b27c6623d2c5b4bf5188ab33284a64efa88f93d889e46377cbb3f8804186d4f72ca0a098b150336f5a9c2061accd3addbf8aba2dae12ccf01841e5ffc8dcad81