Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:57
Behavioral task
behavioral1
Sample
5c273824b89a437bde9fedfb82f75eee_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c273824b89a437bde9fedfb82f75eee_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
5c273824b89a437bde9fedfb82f75eee_JaffaCakes118.doc
-
Size
235KB
-
MD5
5c273824b89a437bde9fedfb82f75eee
-
SHA1
9abac4c3fb224ad97c6156aca3fa07db05d15ce6
-
SHA256
85d2ba3f12877bf7e531ec1970909f2ea20f55ba17d27f4a5b65e8e8dc493909
-
SHA512
35f191df6272b0c979bb73397a76ac060e30471846fd303aa2c8b6a5a18b9208f626c4b75558dfc7390a6a198c9cb4e15b06ab734212a002fd947a9e43862658
-
SSDEEP
6144:Gb6WbgilSNobMNRzUG8eQBAPMaOBq6Vd/nV/RRwq:8bqoYNZ6eiat6Vd/nV/RRwq
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
svchost.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3188 1440 svchost.exe WINWORD.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1440 set thread context of 3188 1440 WINWORD.EXE svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1440 WINWORD.EXE 1440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svchost.exepid process 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe PID 1440 wrote to memory of 3188 1440 WINWORD.EXE svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5c273824b89a437bde9fedfb82f75eee_JaffaCakes118.doc" /o ""1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:3188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e