Malware Analysis Report

2025-03-15 07:56

Sample ID 240814-xpb4raydjd
Target 974b3f4d15efa34e473f00b267b356ad_JaffaCakes118
SHA256 4ac75a46b0893f4225cd7aeffa73fc9876277928900b4d4acaf5b6c0aa09dbcc
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ac75a46b0893f4225cd7aeffa73fc9876277928900b4d4acaf5b6c0aa09dbcc

Threat Level: Likely malicious

The file 974b3f4d15efa34e473f00b267b356ad_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 19:01

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 19:01

Reported

2024-08-14 19:03

Platform

win7-20240705-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?AiRXNsryBN9TPVHIcrsQEtXLmuahVY0L:z3128219 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{E6F52F14-2234-406A-B850-A30C82373CBE}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{E6F52F14-2234-406A-B850-A30C82373CBE}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{E6F52F14-2234-406A-B850-A30C82373CBE} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{E6F52F14-2234-406A-B850-A30C82373CBE}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6F52F14-2234-406A-B850-A30C82373CBE}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 dailyemploy.com udp
US 54.209.32.212:443 dailyemploy.com tcp
US 52.71.57.184:443 dailyemploy.com tcp

Files

memory/1688-0-0x000000002F791000-0x000000002F792000-memory.dmp

memory/1688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1688-2-0x000000007115D000-0x0000000071168000-memory.dmp

memory/1688-5-0x000000007115D000-0x0000000071168000-memory.dmp

memory/1688-13-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-19-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-56-0x0000000007150000-0x0000000007250000-memory.dmp

memory/1688-57-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-55-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-53-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-52-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-51-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-50-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-49-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-48-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-47-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-46-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-45-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-44-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-42-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-41-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-40-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-39-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-38-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-37-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-36-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-35-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-34-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-32-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-31-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-27-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-26-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-25-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-23-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-71-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-54-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-22-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-21-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-20-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-18-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-17-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-16-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-15-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-14-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-12-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-11-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-10-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-9-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-8-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-43-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-33-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-29-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-30-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-28-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-24-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-7-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-511-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1688-512-0x0000000007150000-0x0000000007250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{41E5475B-2DA7-4089-9B52-34C7D331C3C1}

MD5 7a24f8d4a9947a3d70e2cbb026f423ea
SHA1 17555b84028ee25b5176b02ea37e1a1aebb4e7d9
SHA256 e90bb9a3c00793574bed1f8408126541ccf69e4866c12e36aa8400fba185c2e9
SHA512 c1fb0d4fe0303251c4549f4bada351bd4050a97c27405c5c5934cc0419a89bb95edced76595767944537aba4189aeafd2940dc6a9739701ba65d06ba021add30

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C78830CC-0915-4993-827B-0A48A3866C00}.FSD

MD5 8fed2d7ef99e5e5ad8aaa978c553ee52
SHA1 208a27832a27ffca4d4b2eadb505a72f521dc507
SHA256 22e55a2cc45463bd24d9609e549b8d085d417ceb8751b8c92d9ee0081b80b42f
SHA512 07504ed908846030321c421806e6866e57d935f54f567a35b71270e6ec0334f145c7a39a39d1c1870054b979e9b0e6343091a6a6f7ff40dfa9407fa3f0aca656

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 2a8e505ec954a95b3331637f82e924b8
SHA1 908981db4411e55dcc9cfcc4e272240e4c5cb167
SHA256 014680edd5a2b13b7fd405fdfbfbf3aae80d357dc528935ee91413287c76febf
SHA512 b4501c958983e96f19e1e4a1ad08aa91bdca07108e68c263db7d8a768eb8a3306410c69b083d878ac70efd4814b1b0c385812f89d83df3430cf5eaf09cb29f6c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9C003E0C-BAA9-46C3-83E3-86A8FD30EAB7}.FSD

MD5 829dd9ac26c3c1349c6e3deea497201d
SHA1 d20fd6ae7bc3fd9ffa02a3938300220a0bfb8d26
SHA256 7b0d75317a35f0d8eb34c099f08de898d955724962278ecc7d10cbce304decde
SHA512 c99a931a07d8ef5737a6225d893a91e7db901f0b0aaca252de7fde071b736e8881aa298e5afae0e41a07c6e177de6aabb1c949c450525bf708c7fc2f6246a55b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 19:01

Reported

2024-08-14 19:03

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.217:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 dailyemploy.com udp
US 34.205.242.146:443 dailyemploy.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 54.161.222.85:443 dailyemploy.com tcp
US 8.8.8.8:53 dailyemploy.com udp
US 54.161.222.85:443 dailyemploy.com tcp

Files

memory/208-4-0x00007FFA0DDB0000-0x00007FFA0DDC0000-memory.dmp

memory/208-3-0x00007FFA0DDB0000-0x00007FFA0DDC0000-memory.dmp

memory/208-5-0x00007FFA0DDB0000-0x00007FFA0DDC0000-memory.dmp

memory/208-7-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-6-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-10-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-11-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-12-0x00007FFA0B970000-0x00007FFA0B980000-memory.dmp

memory/208-9-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-8-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-13-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-15-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-22-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-21-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-20-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-19-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-18-0x00007FFA0B970000-0x00007FFA0B980000-memory.dmp

memory/208-17-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-16-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-14-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-2-0x00007FFA0DDB0000-0x00007FFA0DDC0000-memory.dmp

memory/208-1-0x00007FFA0DDB0000-0x00007FFA0DDC0000-memory.dmp

memory/208-0-0x00007FFA4DDCD000-0x00007FFA4DDCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 54fe140e5fe764e1cd5d4b93bc3c4f16
SHA1 1ca2b2fe4cb629c7a709996a4cb67d54ee1c7e3a
SHA256 3694e22cc314678332ac9faa4fd170fb82c9b33832125a388c283c854114e5d1
SHA512 fa9642faefc3ecfc1ffa61e9ecf3e4dba19dd6f19754b52712f323cc02df6b814ed0370b3be6b9d7d9c82a658b5222e4154b6ac12c42f0b72bbdaa1434eb30ca

memory/208-44-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-45-0x00007FFA4DDCD000-0x00007FFA4DDCE000-memory.dmp

memory/208-46-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

memory/208-47-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD3F64.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/208-577-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8FFFAFC4-07D2-4B73-BBF6-84D98D9F8D40

MD5 cec9f694d1f703a12c64e0c189624998
SHA1 d2cd0668788f336a9a0dc54ac178b74979442945
SHA256 abf63c49d0e521e905a428283801a87a4cb7d9ec11b65308bbb44cfcd9df3cee
SHA512 8b5fbe70c6aab3eb1c934b22ffd9427a5a1dedeea8a29d890b9eb1a9b286d9635489481d29fe4256a7b3880cc6324b462e3a0e6c8cc38259449badf01e26ba5d

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 684bdecdae0b000bd410e8f42666a2aa
SHA1 02b030f7e8dab59ec8b9080fe76507d0bd7c8396
SHA256 5be3e5832791f55e022c89550a7d37217a439d623f4e3bb75be6a48b4ff17941
SHA512 a71a2671c6352bf9d0d7a0d31b3a7a9ab85500514944dab0cbe627aee7240a83f9ec1d2b1e482024a0cb8c0c64d53cc3bec0d1fcb134c40d80eba9168cbadb09

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 9a1e9a7107a54ef02fd79ad257653b59
SHA1 a2f8800525a3c51ac178589f6cb8f4fdc0078d16
SHA256 44e24d38c4ebb0385ee6d0d8c71ed72ae60b37205eed9973acad1fd56fb13ec6
SHA512 e0484fe2d6a8f51d98bf7c06678ffce820efe7281e2fa7a620fcf4e4fa61e49a1dccd4484f8016257585da471e43d74e94dd7db6c981ce1cbfa2647fc993786b

memory/208-1080-0x00007FFA4DD30000-0x00007FFA4DF25000-memory.dmp