dfce1d462c53941da0f1d933698bb705c792f9f878f0a6820397e3f7209ea0b5

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b9eaf7a43033ddcada3788878d60665_JaffaCakes118.docm
Size

382KB
MD5

8b9eaf7a43033ddcada3788878d60665
SHA1

29387bd86769349d09e65ab685a17eb8759b1bc2
SHA256

dfce1d462c53941da0f1d933698bb705c792f9f878f0a6820397e3f7209ea0b5
SHA512

b74351062e01f8f50dc7407797149e8b19a0e8228ce7ea645280461d673b6f98d87cb6ebc24320c481143a36e8dc7789dab165f01735357917784e8d7f35bd97
SSDEEP

6144:4/2GQYO2wfyqUBDD5LpUuTSVbkecVQYP3yil1s8HsDsXAYeTkpoCz7Jcp:4+RaqUBDDppUugqiYKaBYs1pok7ip

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\2HloaderqVbva	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2700	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	WINWORD.EXE
2700	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2980	2700	WINWORD.EXE	32
PID 2700 wrote to memory of 2980	2700	WINWORD.EXE	32
PID 2700 wrote to memory of 2980	2700	WINWORD.EXE	32
PID 2700 wrote to memory of 2980	2700	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b9eaf7a43033ddcada3788878d60665_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b0ebc58606ea28704c733e22e42d2f9e

SHA1
c0e60eb84777064d048562015529238c9f301c5a

SHA256
d9c4494f9523c3c154814b56a18298516cfbe78605cbad3944c35ef7ed841237

SHA512
8f912ac5d0067f2a8706518a946f3b5df58d26605c10c58a8e5d30ede8a7a553371757cf6a843c0cc568331f2044e8edf02c7754dc9d0e475e8f9ec13f77e978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E9CF202.emf

Filesize
39KB

MD5
c2485d9ae8e561a192571bc6a1285725

SHA1
5547d74bc1ef2ddc668398f07ca34d6b6ad2393c

SHA256
5c3e2dd465a682f147a42238021c54ca029774971f6738d680443af925381166

SHA512
be629b38d008fd7abb6285797dcf6164df09a4f3fd43449f8b49e9bcf9c9270f4795f6fc00b43fe074418099d0a1a7b90d576c9b5d628b8191c8bfcf5cebba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1504F5EF-EB73-41CE-BB26-16FABF8294F9}

Filesize
128KB

MD5
e20d9c406e037c63d75fc1125fcb0efb

SHA1
4ff90dd7a3aabb2e66e2f42c2151482a765c2e1d

SHA256
bd4a0c7040e4f9137f9009149e735a35ba7cd3a006365936977d99468f916990

SHA512
3944791735f0f03cb939c542deb8b3c32abf051e98897c975fa4205801430d5791eac77854126bbdad9e6c7dcab7ee30769af67763799b967f1ba6b08b5e6c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
2b1f89a42d039bd0a4ef16806c46e36d

SHA1
cf0a35ecb912597d150b9509141d72a5c64b84d7

SHA256
f27a8a58c52f8e82cba81f0283db5fabbde79df02d06b55c9776fddaf423913c

SHA512
143e052f55ae9fcb351422f3a16d63578e2c99463ea5076acafd7bc99ca0125ec914571b3ef73ceaa097c9abcd5e6463074b4bf6f0a99cf7fe00af11fbdaea45

Download Submit
memory/2700-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-2-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download
memory/2700-81-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download
memory/2700-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-107-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download