Analysis
-
max time kernel
101s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 17:16
Behavioral task
behavioral1
Sample
0b70546b28da5c1ad2bc4a52a6b0c283_JaffaCakes118.docm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b70546b28da5c1ad2bc4a52a6b0c283_JaffaCakes118.docm
Resource
win10v2004-20231215-en
General
-
Target
0b70546b28da5c1ad2bc4a52a6b0c283_JaffaCakes118.docm
-
Size
19KB
-
MD5
0b70546b28da5c1ad2bc4a52a6b0c283
-
SHA1
3b2117fb8c4ae60ee931dca1d15dce002abd7f36
-
SHA256
a4f30ee61af69027b7dd73603b8c37cac142a1e2a509ded8934450c3e0d3fe30
-
SHA512
6296c37d49ffb913241db3c290d51dd0975abb680cfdf64d85289af1adb60bffb9f0a20a867b81bb1a74b9290e5961af3cea89aa8b11b9064673f3e4fe5f0981
-
SSDEEP
384:/iB9hGhdtPWrhIJKPRMHnJzcFAY/cAT2G+XqRn5OOd4:/8w3+rhuHnJzA4GOqRn5q
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0b70546b28da5c1ad2bc4a52a6b0c283_JaffaCakes118.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4652
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding1⤵PID:1568