Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-08-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm
Resource
win7-20240729-en
General
-
Target
c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm
-
Size
680KB
-
MD5
c7209a744435dcc259700a26adda4e47
-
SHA1
31b9c510958b82e086e7ca7360d003c8c6e2193d
-
SHA256
f4cdde5d4e22b79d8d15fadcf74e7a9a9c805c54b910e08be7c6422b11ce729f
-
SHA512
ba5d27a3cd64fdff8690c5356311b4f2ea7d094922578d8c134ca209dd07d68a5d37bd4af3f458a3d0e309fa9bbd5099ec012df081dbc75b528653725a577bb3
-
SSDEEP
12288:gzUyhTUcvCBd//9x+BuO40ThFsi1HMKxdFnjWlKOv2cEfk+j1XFcDLthza:gzBT4/Vx+BuOVhFsi1JniN2LcDL+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 824 ms.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 WINWORD.EXE 2108 WINWORD.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ms.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2108 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 824 ms.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 824 ms.exe Token: 33 824 ms.exe Token: SeIncBasePriorityPrivilege 824 ms.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2108 WINWORD.EXE 2108 WINWORD.EXE 824 ms.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 824 2108 WINWORD.EXE 30 PID 2108 wrote to memory of 824 2108 WINWORD.EXE 30 PID 2108 wrote to memory of 824 2108 WINWORD.EXE 30 PID 2108 wrote to memory of 824 2108 WINWORD.EXE 30 PID 2108 wrote to memory of 3036 2108 WINWORD.EXE 36 PID 2108 wrote to memory of 3036 2108 WINWORD.EXE 36 PID 2108 wrote to memory of 3036 2108 WINWORD.EXE 36 PID 2108 wrote to memory of 3036 2108 WINWORD.EXE 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c7209a744435dcc259700a26adda4e47_JaffaCakes118.docm"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\ProgramData\Memsys\ms.exeC:\ProgramData\Memsys\ms.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:824
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3036
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD55f9a352377f0abb64fea040813428c30
SHA1d5a2c3727275367f2e664c406617f10a9c9ddff0
SHA2565a537d078decf72b1f53b9e6f196d56551de3f67422a84ba07c88c84608b3b53
SHA5120c292a3dd14a297604b10a86377cf09ddcaf5a2825c2e136970fdabb42604c8d5e4090f3380d856d4ca757c0b3272c07dff065f68ece9107395dc0f16074d182
-
Filesize
321KB
MD5fed6eab172b18fcf0ac559146add24ab
SHA19c821e007072ff086301002e669ef9f23048b336
SHA2569d4506a63429f64c0ab01b77be2b178f9f2e45436decc6084c61b6faee0adfdb
SHA5122e22a04e49672dc25bcdf0e12d921fd83ba1fe0be183b0d6b62434f0a1de598c0f0c96ea518fdf1428b5d2c3c62f171a34676efb66c40c5799ca9462c39043ab