Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 15:49
Behavioral task
behavioral1
Sample
0ea4954ebb01b9e17ef90084eae1d842_JaffaCakes118.docm
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0ea4954ebb01b9e17ef90084eae1d842_JaffaCakes118.docm
Resource
win10v2004-20240508-en
General
-
Target
0ea4954ebb01b9e17ef90084eae1d842_JaffaCakes118.docm
-
Size
19KB
-
MD5
0ea4954ebb01b9e17ef90084eae1d842
-
SHA1
1f5a7a593d5b04e0652cda2dfebb32c0d1e64745
-
SHA256
2d916cebea25e66a1109d344bef7f74642693e49519e0353d96f6220eebc3972
-
SHA512
50f111efa884688b00faa40a2d83eb1b3800fa53f00523a5c276101f48070f2004a7c588be9ceef91f9c480e4021c3a4a527934f13c2ccd982e7a9dbe561cead
-
SSDEEP
384:/imtzfL0IthsZD7+Kim1Qh4n0i13L8N50gX6Ujnw+32lkAj:/LkI/q/+Lm1Xv13ECBH+32Z
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2456 WINWORD.EXE 2456 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2456 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE 752 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0ea4954ebb01b9e17ef90084eae1d842_JaffaCakes118.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2456
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD515dcad1aec5f2f86c1d1c382c8032aa7
SHA129992dccbdeda78e56a6aa9542f0e901c4fc3a34
SHA256e9b1b62e32179cdd03fb88b3c147c46ee5b499fdf9f28dc943c4e212cc2d025c
SHA512547570b279a083d98f5ca5b09759adaa36df6281720685892fcf6be392037e2cab00d614c784386c8b906cd7a630871e08de190602a3b2d5bf9b6ce01e5f863e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD505e1bcd1ea16a281c91c850f3f527ee4
SHA11d4137778b7a2bf5ba27c2544dff82550e20785c
SHA2564f1b2dbe668c656f1573f46c22b48c3798a520255eddb5093a0133345ec80240
SHA512e07039b60c4fcab501bc3d1df0da7fd523a5f4b2a7cf8e303f811f63aacf077411fac13d3f20e8ecec2975f586921ca5edece6e15b20bc25f69277dc99cb0ad0