Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 17:15
Behavioral task
behavioral1
Sample
0ee3fd78f9b1fa4a91e934b88a7d43e6_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ee3fd78f9b1fa4a91e934b88a7d43e6_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
0ee3fd78f9b1fa4a91e934b88a7d43e6_JaffaCakes118.doc
-
Size
36KB
-
MD5
0ee3fd78f9b1fa4a91e934b88a7d43e6
-
SHA1
d9482fd4e6998e5f288a3ac6a8578cceab7156c4
-
SHA256
ae2641920db2a85dbc84be47368d48a8e158d690d6277c605b97197dd243fe11
-
SHA512
24ae653a864cf03ac565fd490adfd9a569f98afcd9fc9316ae354bd956b18ef1c70d604c8bee4d9bb48af05e39d21b6a3f1cf4b2a64e7affa5059135191d2a2e
-
SSDEEP
384:YEQUkwHXlmRL5dBOAjTjfq4eu8olz0mO3UO3sjj3at7I41:g8mRl/jTjyAOmN3o
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4480 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4480 WINWORD.EXE 4480 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE 4480 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0ee3fd78f9b1fa4a91e934b88a7d43e6_JaffaCakes118.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD50cb95e2686d4ba33fb79fa597cba79bf
SHA12441476ce67376d435207224a531687fab07846d
SHA256fc2d346ac320c67ee694d00a331625a5bf960910302b32aefd5d1ee5ec15783c
SHA5120bee02b9754c1a110728ec71c044d9afda9f994a06d744ff9b4d8f2dbbe02c0eccd5fc98d544883419b69b195fc8c1c97fb9579616820a0173ceb5c71b9d04d0
-
Filesize
27KB
MD592ca62ed4edd8d1008a17265083eacc0
SHA12ef940ee7239b5e40026018c2ef300be9c623776
SHA256c3c59427800a1d6d8db7d942bddec31710a24c2c1f73812db666a8e2d09338e7
SHA5121e365767b6cf53b6414d45ceefe3cdb84d91be0dd6fedba682fcfa164b5a19e667e6f6738cd170b13652de4a17f16ed85ed14671584c45f012f4ffbc4fc92898