Malware Analysis Report

2025-03-15 07:58

Sample ID 240815-zzs65ayfnj
Target 9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118
SHA256 b099ef613e5c00e6b301e1bf60ac4eeece9aa7fade00366a2cb5eee903304934
Tags
discovery macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b099ef613e5c00e6b301e1bf60ac4eeece9aa7fade00366a2cb5eee903304934

Threat Level: Likely malicious

The file 9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:09

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:09

Reported

2024-08-15 21:12

Platform

win7-20240708-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?xlVKn3I2e71FuCNlGDFhoCdY3breDWnD:ZJ421805 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6DD8A5E-CB11-474C-9463-08E1CB49127A}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{F6DD8A5E-CB11-474C-9463-08E1CB49127A}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 dailyemploy.com udp
US 34.205.242.146:443 dailyemploy.com tcp
US 54.161.222.85:443 dailyemploy.com tcp

Files

memory/1324-0-0x000000002F361000-0x000000002F362000-memory.dmp

memory/1324-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1324-2-0x00000000715ED000-0x00000000715F8000-memory.dmp

memory/1324-5-0x00000000715ED000-0x00000000715F8000-memory.dmp

memory/1324-8-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-7-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-17-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-18-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-29-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-39-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-48-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-16-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-56-0x000000000F6C0000-0x000000000F7C0000-memory.dmp

memory/1324-55-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-54-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-53-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-52-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-51-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-50-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-49-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-47-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-46-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-45-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-44-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-43-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-42-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-41-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-40-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-38-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-37-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-36-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-35-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-34-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-33-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-32-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-31-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-30-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-28-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-27-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-26-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-25-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-24-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-23-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-22-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-21-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-20-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-19-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-14-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-15-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-13-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-12-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-11-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-10-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-9-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-57-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-71-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-511-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1324-512-0x000000000F6C0000-0x000000000F7C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{257D3826-53B4-45A4-A24B-DA9F8EE6EFFB}

MD5 170a09d8854b55fa9b6fc6f75155291b
SHA1 8cd51839e8c02a69eb7546672ea83166146397c9
SHA256 42666ec32e01e443ab07bac8520846e8e4c07b018f20e8f0b17e0de469ff8d22
SHA512 75862d4f182abcfc661cebdb19e4ca3c08fe9e63a6e9d3d73803ebaea05ca5870255bf77448a11e33d75039a4cb7b45404399155d42d25b6b3b8e71d0787253c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{92A6E5D8-CA4C-41FB-928C-6F3340398813}.FSD

MD5 45f41053e9ac998e548a57c3c89f1f0a
SHA1 540a6f4a961aa2af9388889c6dc05b158e856018
SHA256 e8b5fc5b6badff226b7eed71b426fe16d4a9e377c62a4c510c10f2c2381e232b
SHA512 3faa6c8e6c737caf9cbb9b552d2f30f6157038d5d232768e4fc8000b34aeaef4b3507380478b636c071b26e6ef4483e7bfd58376ab0ce172b9f50540f6812731

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 5e3c387597fb395c672a45545291c769
SHA1 8502edf5e5c79d1afebaff9813de58e6083f3306
SHA256 d83bd44d3b200e24f34088597649bda1d1f01ef7cf4fac652b58105bb2702e5f
SHA512 3aa94558e701e983e86ddf43554da791bee68fccd26b2f5d7ee1e7694764f3f1b3ed13d4d112f218b69b407cdc07247f135b8633990e819202706da6bc83c7c3

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B2F7B5BC-2BEE-487F-82B5-A1D7937C2221}.FSD

MD5 e0eccfd5d1d0f86d0d822c9ec6b7061f
SHA1 15761f8bbc71f740ea1180855123a8cc057764ac
SHA256 fa2f56e37d03977d67edd4a8dd52addfa775d63b4968fcdda762e6c461426ba8
SHA512 b67a5af67ad3d4e242b0ccd981aefa4fd688862f46c0f52a464cc278d5d707c325489dcba5d31502956c762641baf8fff68fe8224ad4c747fe923201e1e2d588

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:09

Reported

2024-08-15 21:12

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 dailyemploy.com udp
US 54.161.222.85:443 dailyemploy.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 34.205.242.146:443 dailyemploy.com tcp
US 8.8.8.8:53 dailyemploy.com udp
US 54.161.222.85:443 dailyemploy.com tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp

Files

memory/1524-1-0x00007FFF725ED000-0x00007FFF725EE000-memory.dmp

memory/1524-0-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

memory/1524-3-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

memory/1524-2-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

memory/1524-5-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

memory/1524-4-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

memory/1524-10-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-12-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-11-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-13-0x00007FFF301D0000-0x00007FFF301E0000-memory.dmp

memory/1524-9-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-14-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-15-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-20-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-23-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-22-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-21-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-19-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-18-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-17-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-16-0x00007FFF301D0000-0x00007FFF301E0000-memory.dmp

memory/1524-8-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-7-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-6-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-37-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-38-0x00007FFF725ED000-0x00007FFF725EE000-memory.dmp

memory/1524-39-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

memory/1524-40-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 af28841633e0be668a5304192fc3f352
SHA1 a085c08fb3671833bccb4668aeedd3b56081044e
SHA256 6e07900b852beed17e14741aa76268c22896e8df366a92a5bfd05495e807e0d7
SHA512 03f6ae14f8ad7a9e3719d7e9261fa3cf37ea31ee892ae62070b4f5a888388fd12941ba00dac0284d1528bc5f3667b89e4adf8f3e07e0d2f01d96e67e2588625d

C:\Users\Admin\AppData\Local\Temp\TCDCB68.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/1524-218-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0259B824-C8B2-49CB-B906-7750EB6D3656

MD5 9234efd4e4438f384205e00af484660b
SHA1 7b50fd731148773dc18accbc85301ffe7a730048
SHA256 a83474b679b5c2f0812a1ce10d64fbfc764f487e3d2d772a81e4296b026e848e
SHA512 739ee4e5be31045cfa6b79ce322d780bccd758b6abd610d06d7c00e1ae05bea4816017f06039700278ee0b5c910c24f9758a5d4dafdc62816febb12439afa140

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 ff9ef464ff3a8e32f687dad5397cfc50
SHA1 405631990a4f561dbca77dd1148c58469e8f6519
SHA256 f877d59dba5304992c9e9b33dfc90dafda7b219c51c61558d079b0a0f0758a37
SHA512 3ca2dd989f4b117928adaaabfbedff34b7d58f6f1eb6b4b5775860b6dcfb154da523b197c0020a4b065fc1e25719f773822658ccfcab1ee74e4db8f440fab9fa

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 dfbb5e5ea66fc9c953099b2c3fc2624a
SHA1 d87b7756562b4fff9743e777b1fdb28596509f1a
SHA256 4b8f7e0bfafd5bd42cf10f67708ecc39fe9e2bca303968cc9e8c7f8ea9892991
SHA512 5c8f8822889f564bbcee7b5598966a2e2796b1c8eef786e8c68655b5a46a0258ab666e907f70ecaf5d4b910699ba71f48bbbbc8e0c663c79e03b696746a90cf5

memory/1524-718-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 51905ddc0460ebee130ce05d513de376
SHA1 009d9dc86413404e8487b268b05eb28447948b8f
SHA256 e061ba1effc0b17cc68218678567f150b9e48e08dbf33943cdaa93535d59994f
SHA512 beb6081cea245fc47d72fdd92824ef0893a6f1e099c2848b4c8d3fd71ad274fc18b040b839a9cee9646154761a072af75ca47a825ea2e647c52aa0f948cc93f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 e738dec61644a3db10596bc7a38b1f63
SHA1 f44103805b388692cde3365631143b261a5a7ea4
SHA256 abf9229bbe5f563865c95ea1e455ea0013d9bf6d9444f65e8439c7982c6a0361
SHA512 8dad23b8b065455fc495db108af73d205d418b31b6e1115c0ad4bebddd1b3ec8ba5027c69e64f3a71f73eb6bf70e1bc7fd1703e07c8f14763dbae6a818abf5ac