Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 06:21
Behavioral task
behavioral1
Sample
f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc
Resource
win10v2004-20240412-en
General
-
Target
f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc
-
Size
46KB
-
MD5
f2e172e42fedc4a33edbd4d858432049
-
SHA1
75e07fe29618b0279ac8441c84612a8dcfde7644
-
SHA256
99f836e687aef659851a4bda6663f24f0bf32ca05a8ab99013d98d59aefdf35e
-
SHA512
c91c334e696d0b2c47e06e92aefc54448b32955726a6864662bb56e55f989aefb58d761a0b491e87eba138d1a23e22078f32965c24660c23265d093b56d3f273
-
SSDEEP
768:Ea19v3/BTkZLH2jFMujyV67JEzYmVkUWKvaL:h19vPBTkZLWB3uTV53
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp office_macro_on_action -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1324 WINWORD.EXE 1324 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEpid process 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TCDE734.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmpFilesize
57KB
MD5a7ee654f85f80568522f1988a05a9daa
SHA1a4bf6436f4a8c6041e1eb1233d338f4d23652e77
SHA2567927ffe42c2461026422f431a399c80dfbfe6f1b88d72d9719395e867a4e9dd2
SHA512afda009c2d884f6671f66e3e096db4d3e7844d404f758ede622c2609c04a825141187227403a58fcbc8057e929f85bea877d820b35fb1ad290d68e00254b71d6
-
memory/1324-13-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-6-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmpFilesize
64KB
-
memory/1324-17-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-5-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-18-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-7-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmpFilesize
64KB
-
memory/1324-8-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-9-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-10-0x00007FF9B27F0000-0x00007FF9B2800000-memory.dmpFilesize
64KB
-
memory/1324-11-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-12-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-19-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-0-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmpFilesize
64KB
-
memory/1324-15-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-4-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmpFilesize
64KB
-
memory/1324-3-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-14-0x00007FF9B27F0000-0x00007FF9B2800000-memory.dmpFilesize
64KB
-
memory/1324-16-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-41-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmpFilesize
8.0MB
-
memory/1324-63-0x00000279FCE50000-0x00000279FD250000-memory.dmpFilesize
4.0MB
-
memory/1324-2-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmpFilesize
64KB
-
memory/1324-76-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-77-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-78-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-330-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmpFilesize
8.0MB
-
memory/1324-1-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmpFilesize
2.0MB
-
memory/1324-557-0x00000279FCE50000-0x00000279FD250000-memory.dmpFilesize
4.0MB
-
memory/1324-568-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmpFilesize
8.0MB
-
memory/1324-569-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmpFilesize
8.0MB