Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 17:28
Behavioral task
behavioral1
Sample
708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc
-
Size
111KB
-
MD5
708da8440e441c06002ab25828ef73a3
-
SHA1
a499d2c7ba0b8f35dd4218139108864f523e9859
-
SHA256
e8597eab95b5059d4287830cca765c30b930dabdc1cd8c6065235d45de636e21
-
SHA512
5731d72ae1def03bd9f4239ca9cc9375630c66ac0e6fc0c7318ade6bd4fb5d9e3ff20647b38d1a2bd0939c94385183ae6803244ddd0ad826f6ce6f0ee49b87e8
-
SSDEEP
1536:5k/b1dNHicn2WQPoQpn/THmK1K4/yZoD+zKj/XAqSnuB9PVrl+QBEh:5kD1rH/n2WMrGnxWSu3V5B
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc office_macro_on_action -
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 2204 WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2204 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
WINWORD.EXEpid process 2204 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2204 WINWORD.EXE 2204 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2204 wrote to memory of 2628 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2628 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2628 2204 WINWORD.EXE splwow64.exe PID 2204 wrote to memory of 2628 2204 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc"1⤵
- Deletes itself
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5a6b916d73d3b0bafbe27c40ef0e71f41
SHA18a1163baf004a131d497704d2748ce07fd0e9d48
SHA256cbbab09a6273da38e91d6b7b9944dd939973113050d894762017390471971c57
SHA512844d294bd41b8302f66a0adddb81ebbbbd919811bd8e6ef01b21b9a86397ae36be4f0a0058e6e35f174232f3e818a895f316ac772453e00f1330c5980195f5e7
-
Filesize
27KB
MD58c399d44e457a29de098f760068ada56
SHA1ebd91f7358af99f4252b25be4f0d452a1f7751ef
SHA2569443a24e36347f2367c1620925337a7c9331a12e334ab2138b80308b3b36573f
SHA51282b984af476b626bf3edbdfc58f1ea0d8d5e571cc50e692d2b926c9662c3bd3d31e9a9ff785f1f5d1f8aa878c64e6ebaa05156a8675fb4064d029d0b8e34fc46