Analysis Overview
SHA256
a0e4e73ae659b896893702a2f0f2ed251a89103cf2d0fc8235dc4d639f63fe1e
Threat Level: Likely malicious
The file 6c2823f90322d1f0f6bccda71490485a_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
Deletes itself
Drops file in Windows directory
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 16:27
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 16:27
Reported
2024-07-24 16:31
Platform
win7-20240704-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0003.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2164 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3068 wrote to memory of 2164 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3068 wrote to memory of 2164 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 3068 wrote to memory of 2164 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/3068-0-0x000000002FE41000-0x000000002FE42000-memory.dmp
memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3068-2-0x00000000716AD000-0x00000000716B8000-memory.dmp
memory/3068-16-0x00000000068A0000-0x00000000069A0000-memory.dmp
memory/3068-17-0x00000000068A0000-0x00000000069A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp
| MD5 | c8de0ada76bc10dbd1b57272f414eefb |
| SHA1 | 16c9399f254c5e17671ab8ad47bbae5f2f64d2d1 |
| SHA256 | 75b91ce6b4cae2278d1bfb6f7db98fb0864c183db27cceb5e02895e7cb12fbb3 |
| SHA512 | be3896f61c6bb8f6a4cadd88201cec8ce6df53142821c1989cf4fe7d60a7ec8d2896fc29c9eb06ab993d981bbb8cb823f56257c40d2058b58c3a126467dc9c5c |
memory/3068-43-0x00000000716AD000-0x00000000716B8000-memory.dmp
memory/3068-44-0x00000000068A0000-0x00000000069A0000-memory.dmp
memory/3068-61-0x00000000068A0000-0x00000000069A0000-memory.dmp
memory/3068-64-0x00000000068A0000-0x00000000069A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | f334899a17299fcf0c2cd92aaca542e9 |
| SHA1 | f1633cf8aa75c25b0dd56c69b6c62e42a57a09e6 |
| SHA256 | 548aeb4e4fbba4ac9f8a715b851bb9bcdf1bc0a19664480f799b0b8bdef79af2 |
| SHA512 | b27c6623d2c5b4bf5188ab33284a64efa88f93d889e46377cbb3f8804186d4f72ca0a098b150336f5a9c2061accd3addbf8aba2dae12ccf01841e5ffc8dcad81 |
memory/3068-117-0x00000000068A0000-0x00000000069A0000-memory.dmp
memory/3068-116-0x00000000068A0000-0x00000000069A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | f8d7303608c4e6b43856b8d7ba413ee9 |
| SHA1 | 839a437249f4d56739d712c51679dd794d1dd360 |
| SHA256 | 57e7eada9a9f8e57a4e98a0b47b47045a050ab5c30d483fd60e89399d4fd9d3d |
| SHA512 | 580d5c5256cbd4d2355d1a676f12aa45515d4d23353398b4f76941aa72daa24a78267fdea937e80004adb9e6bfc4cd0d32e80244ad3b04db69936a439f8fbe07 |
C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
| MD5 | 9082281e7655e18e8deb5fcc451c6d86 |
| SHA1 | 09134097d3e52470d38d1fd8560846967cade4cd |
| SHA256 | e1b326994a0c67396bc86fc1da7d082e76948c12f1ee45b278a0d8945b2d77b3 |
| SHA512 | fbd5faf1d0fbbfd16abf0a1c1c28c4204d16b0e97f9a00877f837a1c80af62c38ff4cf7b27debf7dda616f837ee1e659080eb280966ec0887876795d522dcb12 |
memory/3068-127-0x000000005FFF0000-0x0000000060000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 16:27
Reported
2024-07-24 16:32
Platform
win10v2004-20240709-en
Max time kernel
102s
Max time network
127s
Command Line
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.16.167.163:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.57:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 163.167.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4652-2-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-1-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-0-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-3-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-4-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-5-0x00007FFAF002D000-0x00007FFAF002E000-memory.dmp
memory/4652-7-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-9-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-10-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-14-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-15-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-13-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-16-0x00007FFAAD8F0000-0x00007FFAAD900000-memory.dmp
memory/4652-18-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-17-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-12-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-11-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-8-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-6-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-19-0x00007FFAAD8F0000-0x00007FFAAD900000-memory.dmp
memory/4652-45-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-61-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
| MD5 | d78e920fae880b5d06a1d5cfc4f5df71 |
| SHA1 | 4537ba8ce40a18f083a14f36ca0d412784b4c3fe |
| SHA256 | 4ae18bd6d42caa69143b60732c0cc00ab8e96772811154c14292bcf73ca72842 |
| SHA512 | 497144b23d1734ea8ab4dfbec415217d6ce0ed178e97ad292c4e9909109328af60c6753bf91874294d551f28d008665832fec6e1ff2b9204421f725f2cfe16f2 |
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp
| MD5 | 8dced94f1a50bd9930af23ff6d334064 |
| SHA1 | 31245be06bf6a61003bccf462a355e3a86d8f8f5 |
| SHA256 | 9d416e977dbb4de19ecedbac21f1ffc5e2523d4debbf41834dc255ca3a5c9fba |
| SHA512 | 2a0d869cdba147b35c0580eee104005d5a74a9ba230e4fd2686078fc1dcab2b9f4ce76a42adbcfd22212bce802875e93e1121ccb39d11b8459d67fdfc6dbf02f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B13BBA2F.wmf
| MD5 | 0522d8dcdc9860ea7f4b9966c5d466b9 |
| SHA1 | 7dd16a4d0159a3c2bc81fdb7893a0ebdf925bdc1 |
| SHA256 | 80742dade91f8c7521277ea827aa93e8a13d100997a24f9afb4e3568224cb8d0 |
| SHA512 | 0ab2c5abbf5823d36d452440d1f0d8dd1e0f297855dbb8536de9eccad29e62c2585f81fd2f3f6e804221421f011482b10f402645ae0784dd550269452c5c6c08 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | dc7a588575aeed7e2cd7581c050c49fd |
| SHA1 | 81b1a059724af7f27d5bc8321df0692095825b04 |
| SHA256 | 2e7efc952be8dd4e5d09a171a219e0386376118a1920aa1fdb370f56eb77f634 |
| SHA512 | 318e3e524c7b3d30f6de842ca58e3ebfe2ec4a205c543e0872b99c55beda4b04fc9bacc4fe2659d5741335e9d9533ce65a3c0377050ec31c4983da715fed4ea1 |
C:\Users\Admin\AppData\Local\Temp\TCDEE4F.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/4652-229-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-230-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
memory/4652-231-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp
| MD5 | a43fdb2e31fb314aca78134b478830e5 |
| SHA1 | 583fea9d0f142bdaba9a5cfaaa972fc0d118fd01 |
| SHA256 | 947fcff569c7db5ff1a4afee14a794782e76b620a612d7f3a7ec2ba5885c423e |
| SHA512 | 5be9d321ddb3382f4811a4b0e73527a7e417e82b0a02bcaea2a782d06502431f84bd6f6d4b3960683a0783defc47abcd4a8b806bcf03a1acdc0a01571f413f71 |
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD3054.tmp
| MD5 | 61e9996bcebb8ef3c3ff30b9b659dd6e |
| SHA1 | 63c294fea04986068b6ad3b481753b94923c2ef6 |
| SHA256 | a8f3eb3a0568623f8f9635cb793032398ac0c6f5c143e387e8e3257ea8288472 |
| SHA512 | 90fb346ff7d193ac78b1ded3dc822e9732a2a1a74649503aad649f2baa4c7f8e25b8675a83f80685dd03abb5906c230cbbb75fa57926bee2e359492aa51c66e7 |
memory/4652-393-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-392-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-395-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-394-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp
memory/4652-396-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp