b9656022ed7793ea88b296d9cfc76922a75f962deec9e9edc627b4b108f8bc85

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57aa3bbe3fae170bdda042d979ed6a4_JaffaCakes118.doc
Size

37KB
MD5

f57aa3bbe3fae170bdda042d979ed6a4
SHA1

ccefd52e896ea971d6dcf13e21eb7248e80db908
SHA256

b9656022ed7793ea88b296d9cfc76922a75f962deec9e9edc627b4b108f8bc85
SHA512

032ae1a8fc9522b56f4f5310b62940a028cc620dc19539c25d4d1342b82069c803c965dc4d4afe5b4b7c6d6cc3e9384167044d28be8b8e4e8b60f2cbed6f58d3
SSDEEP

192:45KwpT858VR85SbWFwCLfyEzMv7v8xkqPG3Z869J36uxyb6Hqv5RZwQjv7bwpz:g8d7yEz0j8Fwt6uUkqv5AQjv

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral2/files/0x0014000000022931-59.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
3572	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3572	WINWORD.EXE
3572	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f57aa3bbe3fae170bdda042d979ed6a4_JaffaCakes118.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD1BCC.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp

Filesize
51KB

MD5
c85b142a63c7f5c51f699889e4f648dd

SHA1
774ad9dec8b7571227528de9025a3607de93257b

SHA256
4b54bb6be2e4c80d25a427a0c2e563c6246bd56fe816f6d31304945462c0d400

SHA512
da52ffd6b8b4ae21a8fd903d8f4e68cfb99888c8e1a1634de9f8c710ebafc43d7f2f905c43564cbe118261c264b25ef24dcc62b48b2f0b1ef6dbeadc5e6abc0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
23KB

MD5
7329162f837851f7ebaec84c39fa7977

SHA1
5f60fdc6013f60acb804cc864072fd2cd0e9cc15

SHA256
347cd7e21b73ddae6d3eaca9e3b9ef2cfec8a12fc6acda251a2c4d6cec164fe0

SHA512
37962fe405a4e39b06ed53800d8db7fa5712d32c4d1d32d4ef3c848b4bc1b3abd526ce7f2ff9979f9c6011b5c38c4fe46c5f4ae2b186a1cf3a24f8bcc585da09

Download Submit
memory/3572-20-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-36-0x0000018452B10000-0x0000018453310000-memory.dmp

Filesize
8.0MB

Download
memory/3572-6-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-7-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-9-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-10-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-11-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-12-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-8-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-44-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-13-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-14-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-16-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-17-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-15-0x00007FF9C36D0000-0x00007FF9C36E0000-memory.dmp

Filesize
64KB

Download
memory/3572-18-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-19-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-0-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-5-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-21-0x00007FF9C36D0000-0x00007FF9C36E0000-memory.dmp

Filesize
64KB

Download
memory/3572-3-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-45-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-4-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-2-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-70-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-71-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-72-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-73-0x0000018452B10000-0x0000018453310000-memory.dmp

Filesize
8.0MB

Download
memory/3572-74-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-75-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-1-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-575-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-578-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-577-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-579-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-576-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-580-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-581-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads