59b4702cd0c51c54e7872bd2d0db8015102f555d8a55779e6a9a08f42ae38c08

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8702385f0a64bf1aa8e202430692a9e6_JaffaCakes118.rtf
Size

3.3MB
MD5

8702385f0a64bf1aa8e202430692a9e6
SHA1

758541f9d90a87b9f97bbc6c2c7d65e9d4ebf1cf
SHA256

59b4702cd0c51c54e7872bd2d0db8015102f555d8a55779e6a9a08f42ae38c08
SHA512

9ff0553cccacb98269478df8ef65506da64b10ab5b16830f3c03f3c2f0796a5b6ca769154ba0f5e92dc16167586834737fcedf75355f2c5cea3c54535542844f
SSDEEP

24576:XVXHwimMpe3zZ9If2qHTS+qloJVtJZapoTPmeh+LIxE4Cg2MZfkhTJ73Wd:t

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{625327B3-50F1-4765-96DD-5863592276AA}\s:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{625327B3-50F1-4765-96DD-5863592276AA}\written.dll:Zone.Identifier	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1748	WINWORD.EXE
1748	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
700	EXCEL.EXE
700	EXCEL.EXE
700	EXCEL.EXE
700	EXCEL.EXE
3008	excelcnv.exe
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 1628	700	EXCEL.EXE	89
PID 700 wrote to memory of 1628	700	EXCEL.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8702385f0a64bf1aa8e202430692a9e6_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1628

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
6131e3b00f84e2f2f1658b38f71fb056

SHA1
67befc16014d203468fe763fe28517f7d1b6df52

SHA256
48bcc730ee82828fc76e7e8b8426dbc8503cbe938b5eff2cb6a78733265b3a81

SHA512
b6b8cbd4d405a06bc578cd62dceb252f190630f94ab3d474a48578780c9f7c1b5d257238bed2160bde18e2504959bbca7f2905fdbf3abc3d67beababd852a777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
f12f10bb02728dca749e9bbddd315850

SHA1
f7f3537896e2d4bc284f5a42b34866e8bf6e00fd

SHA256
2835053c1ba0af613838bb99104194a26e96dcfc09ee1f3dd91f0aa753d411d8

SHA512
a0b47d9cf2107a230bdb0af043b73ba8fc75aee37f04a4c85c0bd29b389e4a84f49928a92b0975fd81fe9a2a19b5e78bf05cf635c615e838e588563694ddd871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B55F5381-2BEC-4C0F-9C5A-A200DF036464

Filesize
161KB

MD5
046bb8bb7a60883b78ec51c4077d8f32

SHA1
f35e6905824a18a425653a54e745309f210cc4ad

SHA256
c26f57f00c37392dc79d460abecfbdc4ba424406a0aba57bd0100756a1dfa3bc

SHA512
2afc88ad7020f209c7eea9a7c7d573ba84b00385f88ec3f24a31ad2d6870362511e4a7c7c017a0498d1b1db35cea8f012ec195206259fb261ae128c167a3d609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
7255dd755c42274c047c66e003e1fea0

SHA1
435454c9cc7cf03870b51b8f4964de0fee0f324e

SHA256
be1f50ebd58b9260eb3db23bc630b3141d7f65d59fad2224276bdb34653f5071

SHA512
5e0d402cc3a49f6137515e1e04c8bea5ddd0be2fd3a5234a3cfa4e25d1c3adccbad71e91900d9b7b8cccf003834b001cf6bf0743c24fa8df0e1595c70407b6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d30ed7d13e882712fe5b0f0634740d0b

SHA1
3a455c8356ce1f1f85348b16e201e034e4aee7d2

SHA256
568bde9e3ff2fa4137294ed3736d8b367f94096092cfd1ba579fae8a5c1694c9

SHA512
c52ff2798bcc166c5bc02347cfe4ae9cedb51ecc09dcf6d902b14afa34c2cdc29f688f43f55b799e194fabd5327e2bc3b2e91f40b72ffefb203defd951a1ecb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E52AD6EB.emf

Filesize
4KB

MD5
3a21a2578df3f021866f175d612663af

SHA1
6444d55a4e930bb752e7764e900c02f76a7a9918

SHA256
1bad79e6948b476f3cdbe4004548c44b64dfd0505edf172e58e0fa8d8e48f985

SHA512
53cac32004f481c4b5a3cba9b7c2aac4cf3cdc035aabbc9a8560a38b26f622158aeadcd53f32c7f2521a673e3b3dfda8abb1d9eca46b4e59bbce212dfce66331

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCC67.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/700-135-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/700-134-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/700-138-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/700-30-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/700-39-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/700-40-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/700-38-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/700-29-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-12-0x00007FFEE6F70000-0x00007FFEE6F80000-memory.dmp

Filesize
64KB

Download
memory/1748-10-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-14-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-19-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-18-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-20-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-16-0x00007FFEE6F70000-0x00007FFEE6F80000-memory.dmp

Filesize
64KB

Download
memory/1748-17-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-13-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-11-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-0-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/1748-6-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/1748-7-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-8-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-9-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-15-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-650-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/1748-143-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/1748-2-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/1748-4-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/1748-3-0x00007FFF298ED000-0x00007FFF298EE000-memory.dmp

Filesize
4KB

Download
memory/1748-5-0x00007FFF29850000-0x00007FFF29A45000-memory.dmp

Filesize
2.0MB

Download
memory/3008-109-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-125-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-126-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-127-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-124-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-112-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-110-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download
memory/3008-111-0x00007FFEE98D0000-0x00007FFEE98E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads