e8597eab95b5059d4287830cca765c30b930dabdc1cd8c6065235d45de636e21

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc
Size

111KB
MD5

708da8440e441c06002ab25828ef73a3
SHA1

a499d2c7ba0b8f35dd4218139108864f523e9859
SHA256

e8597eab95b5059d4287830cca765c30b930dabdc1cd8c6065235d45de636e21
SHA512

5731d72ae1def03bd9f4239ca9cc9375630c66ac0e6fc0c7318ade6bd4fb5d9e3ff20647b38d1a2bd0939c94385183ae6803244ddd0ad826f6ce6f0ee49b87e8
SSDEEP

1536:5k/b1dNHicn2WQPoQpn/THmK1K4/yZoD+zKj/XAqSnuB9PVrl+QBEh:5kD1rH/n2WMrGnxWSu3V5B

Score

8^/10

discovery macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc	office_macro_on_action

Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

2204 WINWORD.EXE
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WINWORD.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2204 WINWORD.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

WINWORD.EXE

pid process

2204 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2204 WINWORD.EXE
2204 WINWORD.EXE

pid	process
2204	WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

pid	process
2204	WINWORD.EXE

pid	process
2204	WINWORD.EXE

pid	process
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2204 wrote to memory of 2628	2204	WINWORD.EXE	splwow64.exe
PID 2204 wrote to memory of 2628	2204	WINWORD.EXE	splwow64.exe
PID 2204 wrote to memory of 2628	2204	WINWORD.EXE	splwow64.exe
PID 2204 wrote to memory of 2628	2204	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc"
1⤵
- Deletes itself
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\708da8440e441c06002ab25828ef73a3_JaffaCakes118.doc

Filesize
114KB

MD5
a6b916d73d3b0bafbe27c40ef0e71f41

SHA1
8a1163baf004a131d497704d2748ce07fd0e9d48

SHA256
cbbab09a6273da38e91d6b7b9944dd939973113050d894762017390471971c57

SHA512
844d294bd41b8302f66a0adddb81ebbbbd919811bd8e6ef01b21b9a86397ae36be4f0a0058e6e35f174232f3e818a895f316ac772453e00f1330c5980195f5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
27KB

MD5
8c399d44e457a29de098f760068ada56

SHA1
ebd91f7358af99f4252b25be4f0d452a1f7751ef

SHA256
9443a24e36347f2367c1620925337a7c9331a12e334ab2138b80308b3b36573f

SHA512
82b984af476b626bf3edbdfc58f1ea0d8d5e571cc50e692d2b926c9662c3bd3d31e9a9ff785f1f5d1f8aa878c64e6ebaa05156a8675fb4064d029d0b8e34fc46

Download Submit
memory/2204-0-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-2-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/2204-6-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-7-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-4-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-9-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-8-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-11-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-5-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-15-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-16-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-14-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-13-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-12-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-10-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-17-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-22-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-20-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-19-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-18-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-21-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-34-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/2204-35-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-36-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-39-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-69-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-73-0x0000000005D70000-0x0000000005E70000-memory.dmp

Filesize
1024KB

Download
memory/2204-76-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-75-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-74-0x0000000005D70000-0x0000000005E70000-memory.dmp

Filesize
1024KB

Download
memory/2204-72-0x0000000005D70000-0x0000000005E70000-memory.dmp

Filesize
1024KB

Download
memory/2204-71-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-70-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-68-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-67-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-66-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-65-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-63-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-62-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-61-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-60-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-59-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-58-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-56-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-38-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-37-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-64-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-57-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2204-94-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download