Malware Analysis Report

2025-03-15 07:55

Sample ID 240810-2qfksasbnq
Target 87fb1f2038dce987999f852e292e55b6_JaffaCakes118
SHA256 1ead47f0addbaee04a50b6f4aaa9b888d5f029bd3a5f5617e4b713f4b3554ba7
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1ead47f0addbaee04a50b6f4aaa9b888d5f029bd3a5f5617e4b713f4b3554ba7

Threat Level: Likely malicious

The file 87fb1f2038dce987999f852e292e55b6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 22:46

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 22:46

Reported

2024-08-10 22:49

Platform

win7-20240708-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87fb1f2038dce987999f852e292e55b6_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?3MdyBdY15LPK8BE94BcOvCXAeb2UgJK1:pt33551 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\TypeLib\{9404EF77-62C9-46D8-92EC-B65B421103FA}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\TypeLib\{9404EF77-62C9-46D8-92EC-B65B421103FA}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\TypeLib\{9404EF77-62C9-46D8-92EC-B65B421103FA}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9404EF77-62C9-46D8-92EC-B65B421103FA}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\TypeLib\{9404EF77-62C9-46D8-92EC-B65B421103FA}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87fb1f2038dce987999f852e292e55b6_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 dailyemploy.com udp
US 52.71.57.184:443 dailyemploy.com tcp
US 54.209.32.212:443 dailyemploy.com tcp

Files

memory/3020-0-0x000000002FFE1000-0x000000002FFE2000-memory.dmp

memory/3020-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3020-2-0x0000000070E0D000-0x0000000070E18000-memory.dmp

memory/3020-11-0x0000000070E0D000-0x0000000070E18000-memory.dmp

memory/3020-61-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-62-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-76-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-94-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-105-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-108-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-98-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-109-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-107-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-106-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-104-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-103-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-102-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-101-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-100-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-99-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-97-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-96-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-95-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-93-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-85-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-136-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-122-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-516-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3020-517-0x0000000006E50000-0x0000000006F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E3E7C522-811A-4DAC-9FCF-EAA830D5BC4E}

MD5 665bff24209478dffaa8552d3b6753ef
SHA1 5d3d9bf98eea0c57da001c2f0ef2eec2f4cb1d80
SHA256 8c21631deb7561d8bfde25b85812a5de1d6924c7f649e5284ba641744af345c2
SHA512 b9eb76eb902495ff6ca6646dd31f9c7a8df384f4016b6e797568baea5a90ec1ec4c0b955e175b47c3a311306a39da54041741d4fe56be9229103baaacea43790

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{96640DC5-6CC9-4FBA-8629-3B8D1A8B0B4F}.FSD

MD5 99947f99b99052cfac58404d34dcebfc
SHA1 1dbc27eeba5c00c1397d42d06d1b063ac15d9576
SHA256 2056f4114831ded11f05cd31aa6917209143feb7044add8598660844bd8b3586
SHA512 e95762c23f980a09e3ebdb6e905718aa67eba5d8bcb6b162ced357ab98b7738f3ff5b4c34111f6c4c3503ec0488b9638bc004ec1c1afd8bd4daf9fd33c4c25d7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 15bfa2a7fe0fd0552f0b49afcbe6e02e
SHA1 315fc8253ae90657849bd2105c2ec8a84060bebb
SHA256 aae9f8e6ae886f6accbdcc19d4af1394fde3b5ee4217e9b615ed3bda91282199
SHA512 03f3705fe0f6e387bec11a8f5325f7ec5746bb5d460502f718df6d0002df3e2266b25bbd787d6de8ab4bed43f317ef4dafd56ee66e2fa06b81b38c1e4ea33765

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{28E82EC2-9C4A-4FAC-AD80-E9438BF56C3E}.FSD

MD5 0b7f2fe02b5ee19a3356febc5586667e
SHA1 810e519050fb8622dcca2a85e6ebac0e1511d68b
SHA256 6e9147deab63a86a776755f5ed190cbcccc093a429bd1e5e976ba83b8ad0790d
SHA512 7a63a999cf4be1dda993973854619e0d67407359b0f258532025facb4df794c024b808a9d0cb3a599c233e81173748278e6f3d543f34b31a4859e62d1516beab

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 22:46

Reported

2024-08-10 22:49

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87fb1f2038dce987999f852e292e55b6_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87fb1f2038dce987999f852e292e55b6_JaffaCakes118.doc" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.140:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 140.209.17.2.in-addr.arpa udp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 57.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 dailyemploy.com udp
US 54.161.222.85:443 dailyemploy.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 34.205.242.146:443 dailyemploy.com tcp
US 52.71.57.184:443 dailyemploy.com tcp

Files

memory/64-0-0x00007FF8678D0000-0x00007FF8678E0000-memory.dmp

memory/64-2-0x00007FF8678D0000-0x00007FF8678E0000-memory.dmp

memory/64-1-0x00007FF8A78ED000-0x00007FF8A78EE000-memory.dmp

memory/64-3-0x00007FF8678D0000-0x00007FF8678E0000-memory.dmp

memory/64-5-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-7-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-8-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-9-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-13-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-14-0x00007FF866920000-0x00007FF866930000-memory.dmp

memory/64-12-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-11-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-16-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-17-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-19-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-18-0x00007FF866920000-0x00007FF866930000-memory.dmp

memory/64-15-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-10-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-6-0x00007FF8678D0000-0x00007FF8678E0000-memory.dmp

memory/64-4-0x00007FF8678D0000-0x00007FF8678E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/64-42-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-43-0x00007FF8A78ED000-0x00007FF8A78EE000-memory.dmp

memory/64-44-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-45-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

memory/64-46-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDB1B7.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/64-578-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\73362C6E-8E4F-41FA-BFC8-87DCB2EA2712

MD5 8aa4e3fa54db3a20f0f3a8e534e3e53e
SHA1 6f886f9c3cfb392e3c1a3b2323b8485f2a61fd5c
SHA256 52e97c06f64db46ba2955465571d5ee48ecb18bf49e1d6671bd8139ab3df6bd5
SHA512 373410f2d8ebcca4a9a9f71b164b1afbfb4df9dc6b9d44dd37b5fadb628a9d8789e425be10cf86f1d0d96d0dc8010cae3b0582851278e532adef5b2277e53667

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 ddbe4a9babff28eb7cec4c0bab58e0e2
SHA1 985a50c93f250cfe47b4c717f728cd4a97f23eba
SHA256 0e194c7c00ccc5649875d15c96191662a191d743923a014430d39927683c2127
SHA512 03cc1901a1ae4999b09e16e181678da76f4c0724176f8342b66d1386ce91e808fefb2bb70fa624d1a654d329f09ad2e0e1e7e02474dd511cd134a536b96f4bd6

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 8e70949e741246a1ef898395400b17e6
SHA1 66fc9630588a86b9a2b8b138fe891677eff6661a
SHA256 1a2e11a5e136a3b8450a379ecb1f257222b8fda20561a0610f52c237c04af19c
SHA512 23e1142ba73cc84e6652d89460a44dd48f539bb67c90829e3089adb3e785e11959758a3b16a9d896c8ca6e3e322f4ce47b3eda94625c421c5c4f89fb614b63fb

memory/64-1081-0x00007FF8A7850000-0x00007FF8A7A45000-memory.dmp