Analysis
-
max time kernel
101s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 08:47
Behavioral task
behavioral1
Sample
598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc
-
Size
200KB
-
MD5
598bff4e2b5c5576a7f89b2afddebd5b
-
SHA1
521de6d4c71a3112acadff900541ca4a49ce0454
-
SHA256
18046a720cd23c57981fdfed59e3df775476b0f189b7f52e2fe5f50e1e6003e7
-
SHA512
3908d100fbdea23e247d343bdddbe1e57c561f2d7fa268930ecc03cec6aeac07c0a2ef5824b26e960a449bf0d836577dd4ed4c1c36a7451ff5eda9e9e06377c5
-
SSDEEP
3072:1eYfHU0QcO9XPh6I1VeQ5bohA5YvjGb/9P6vo1QsQc:FfvQc0/hLVe0ohyZb9/L
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
svchost.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3852 4228 svchost.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4228 WINWORD.EXE 4228 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE 4228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4228 wrote to memory of 3852 4228 WINWORD.EXE svchost.exe PID 4228 wrote to memory of 3852 4228 WINWORD.EXE svchost.exe PID 4228 wrote to memory of 3852 4228 WINWORD.EXE svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\598bff4e2b5c5576a7f89b2afddebd5b_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Process spawned unexpected child process
PID:3852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d