Malware Analysis Report

2025-01-22 19:08

Sample ID 240724-tygttaydnc
Target 6c2823f90322d1f0f6bccda71490485a_JaffaCakes118
SHA256 a0e4e73ae659b896893702a2f0f2ed251a89103cf2d0fc8235dc4d639f63fe1e
Tags
macro discovery macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a0e4e73ae659b896893702a2f0f2ed251a89103cf2d0fc8235dc4d639f63fe1e

Threat Level: Likely malicious

The file 6c2823f90322d1f0f6bccda71490485a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro discovery macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Deletes itself

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 16:27

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 16:27

Reported

2024-07-24 16:31

Platform

win7-20240704-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc"

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\~WRD0003.tmp\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3068-0-0x000000002FE41000-0x000000002FE42000-memory.dmp

memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3068-2-0x00000000716AD000-0x00000000716B8000-memory.dmp

memory/3068-16-0x00000000068A0000-0x00000000069A0000-memory.dmp

memory/3068-17-0x00000000068A0000-0x00000000069A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

MD5 c8de0ada76bc10dbd1b57272f414eefb
SHA1 16c9399f254c5e17671ab8ad47bbae5f2f64d2d1
SHA256 75b91ce6b4cae2278d1bfb6f7db98fb0864c183db27cceb5e02895e7cb12fbb3
SHA512 be3896f61c6bb8f6a4cadd88201cec8ce6df53142821c1989cf4fe7d60a7ec8d2896fc29c9eb06ab993d981bbb8cb823f56257c40d2058b58c3a126467dc9c5c

memory/3068-43-0x00000000716AD000-0x00000000716B8000-memory.dmp

memory/3068-44-0x00000000068A0000-0x00000000069A0000-memory.dmp

memory/3068-61-0x00000000068A0000-0x00000000069A0000-memory.dmp

memory/3068-64-0x00000000068A0000-0x00000000069A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f334899a17299fcf0c2cd92aaca542e9
SHA1 f1633cf8aa75c25b0dd56c69b6c62e42a57a09e6
SHA256 548aeb4e4fbba4ac9f8a715b851bb9bcdf1bc0a19664480f799b0b8bdef79af2
SHA512 b27c6623d2c5b4bf5188ab33284a64efa88f93d889e46377cbb3f8804186d4f72ca0a098b150336f5a9c2061accd3addbf8aba2dae12ccf01841e5ffc8dcad81

memory/3068-117-0x00000000068A0000-0x00000000069A0000-memory.dmp

memory/3068-116-0x00000000068A0000-0x00000000069A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f8d7303608c4e6b43856b8d7ba413ee9
SHA1 839a437249f4d56739d712c51679dd794d1dd360
SHA256 57e7eada9a9f8e57a4e98a0b47b47045a050ab5c30d483fd60e89399d4fd9d3d
SHA512 580d5c5256cbd4d2355d1a676f12aa45515d4d23353398b4f76941aa72daa24a78267fdea937e80004adb9e6bfc4cd0d32e80244ad3b04db69936a439f8fbe07

C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc

MD5 9082281e7655e18e8deb5fcc451c6d86
SHA1 09134097d3e52470d38d1fd8560846967cade4cd
SHA256 e1b326994a0c67396bc86fc1da7d082e76948c12f1ee45b278a0d8945b2d77b3
SHA512 fbd5faf1d0fbbfd16abf0a1c1c28c4204d16b0e97f9a00877f837a1c80af62c38ff4cf7b27debf7dda616f837ee1e659080eb280966ec0887876795d522dcb12

memory/3068-127-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 16:27

Reported

2024-07-24 16:32

Platform

win10v2004-20240709-en

Max time kernel

102s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc" /o ""

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.16.167.163:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 163.167.16.2.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4652-2-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-1-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-0-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-3-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-4-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-5-0x00007FFAF002D000-0x00007FFAF002E000-memory.dmp

memory/4652-7-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-9-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-10-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-14-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-15-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-13-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-16-0x00007FFAAD8F0000-0x00007FFAAD900000-memory.dmp

memory/4652-18-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-17-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-12-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-11-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-8-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-6-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-19-0x00007FFAAD8F0000-0x00007FFAAD900000-memory.dmp

memory/4652-45-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-61-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

MD5 d78e920fae880b5d06a1d5cfc4f5df71
SHA1 4537ba8ce40a18f083a14f36ca0d412784b4c3fe
SHA256 4ae18bd6d42caa69143b60732c0cc00ab8e96772811154c14292bcf73ca72842
SHA512 497144b23d1734ea8ab4dfbec415217d6ce0ed178e97ad292c4e9909109328af60c6753bf91874294d551f28d008665832fec6e1ff2b9204421f725f2cfe16f2

C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp

MD5 8dced94f1a50bd9930af23ff6d334064
SHA1 31245be06bf6a61003bccf462a355e3a86d8f8f5
SHA256 9d416e977dbb4de19ecedbac21f1ffc5e2523d4debbf41834dc255ca3a5c9fba
SHA512 2a0d869cdba147b35c0580eee104005d5a74a9ba230e4fd2686078fc1dcab2b9f4ce76a42adbcfd22212bce802875e93e1121ccb39d11b8459d67fdfc6dbf02f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B13BBA2F.wmf

MD5 0522d8dcdc9860ea7f4b9966c5d466b9
SHA1 7dd16a4d0159a3c2bc81fdb7893a0ebdf925bdc1
SHA256 80742dade91f8c7521277ea827aa93e8a13d100997a24f9afb4e3568224cb8d0
SHA512 0ab2c5abbf5823d36d452440d1f0d8dd1e0f297855dbb8536de9eccad29e62c2585f81fd2f3f6e804221421f011482b10f402645ae0784dd550269452c5c6c08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 dc7a588575aeed7e2cd7581c050c49fd
SHA1 81b1a059724af7f27d5bc8321df0692095825b04
SHA256 2e7efc952be8dd4e5d09a171a219e0386376118a1920aa1fdb370f56eb77f634
SHA512 318e3e524c7b3d30f6de842ca58e3ebfe2ec4a205c543e0872b99c55beda4b04fc9bacc4fe2659d5741335e9d9533ce65a3c0377050ec31c4983da715fed4ea1

C:\Users\Admin\AppData\Local\Temp\TCDEE4F.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4652-229-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-230-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

memory/4652-231-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp

MD5 a43fdb2e31fb314aca78134b478830e5
SHA1 583fea9d0f142bdaba9a5cfaaa972fc0d118fd01
SHA256 947fcff569c7db5ff1a4afee14a794782e76b620a612d7f3a7ec2ba5885c423e
SHA512 5be9d321ddb3382f4811a4b0e73527a7e417e82b0a02bcaea2a782d06502431f84bd6f6d4b3960683a0783defc47abcd4a8b806bcf03a1acdc0a01571f413f71

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD3054.tmp

MD5 61e9996bcebb8ef3c3ff30b9b659dd6e
SHA1 63c294fea04986068b6ad3b481753b94923c2ef6
SHA256 a8f3eb3a0568623f8f9635cb793032398ac0c6f5c143e387e8e3257ea8288472
SHA512 90fb346ff7d193ac78b1ded3dc822e9732a2a1a74649503aad649f2baa4c7f8e25b8675a83f80685dd03abb5906c230cbbb75fa57926bee2e359492aa51c66e7

memory/4652-393-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-392-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-395-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-394-0x00007FFAB0010000-0x00007FFAB0020000-memory.dmp

memory/4652-396-0x00007FFAEFF90000-0x00007FFAF0185000-memory.dmp