Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:51
Behavioral task
behavioral1
Sample
5b6885ebd83a7ac6d4e9ded6017d7032_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5b6885ebd83a7ac6d4e9ded6017d7032_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5b6885ebd83a7ac6d4e9ded6017d7032_JaffaCakes118.doc
-
Size
34KB
-
MD5
5b6885ebd83a7ac6d4e9ded6017d7032
-
SHA1
e655f2f8ee392fae26292ce6d3dc8066acdb7906
-
SHA256
30a49eeed2dfab51b07cf23e948a33c6c2b51fd27c4b2aef506ea16a200ec7bd
-
SHA512
6030f2d26baeeaaa925ec5426090889e00f475904ba4baf996a0908dc5c61fdb0422887c84a36fe3d328bc8b2fe98625c5335516504eb19b461d6b00ec40fb5f
-
SSDEEP
384:zA4dzY0WpSbuj/LdPvenCpeJzKoSS3DyJe8oYGBhPEI8368osCg3Tp:ddzY0WcqjjVenFFRDM4YG/hiSsv
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5b6885ebd83a7ac6d4e9ded6017d7032_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4736