Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 21:59
Behavioral task
behavioral1
Sample
139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc
-
Size
243KB
-
MD5
139c97de52e861794cafdc86d34f9b7d
-
SHA1
8a69051ad621132516402232c5e6594128e5d40a
-
SHA256
7463acf559948ee3f801df867cf2d77197ca16928ada5527fa26ea5210cd1809
-
SHA512
4be2fe3c42a9436a27095b1787eb97054847acbcae771f94db17a5ccf82a73102d708c6c8b301eec64acb52727130eeec37f50b1a9178e6150ba2720bb8826ae
-
SSDEEP
3072:GOw0pklIiuq73/IKBds5OdSwdXFG07tG3cY:GO5pklIo73wABUoXF1ZGMY
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3620 WINWORD.EXE 3620 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeAuditPrivilege 5364 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 3620 WINWORD.EXE 3620 WINWORD.EXE 3620 WINWORD.EXE 3620 WINWORD.EXE 3620 WINWORD.EXE 3620 WINWORD.EXE 3620 WINWORD.EXE 5364 EXCEL.EXE 5364 EXCEL.EXE 5364 EXCEL.EXE 5364 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\139c97de52e861794cafdc86d34f9b7d_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:81⤵PID:4036
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2235CFB4-E44B-4A5F-8747-CFEE07F285F2
Filesize168KB
MD5eaff99b24739527e7671d4a7bd1b1771
SHA1a8020815791d7f29bc0829fd4fa62c63b3c4f449
SHA256d4302c56250c21db077ff4c77a6d1bf8c04b9dd695d02acbd81714857ba6b1da
SHA512a9f6d6a627dbcbea2d6745f4f085213b6ec0e5f18c1c8cd0da20e25ab241c43dd144f77d487e8ca85d73acda23c69f663112378d930f3d04a7cbb73f89f58724
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5211c86ffce7f1a482ec8125acaaa264a
SHA161b982cbde7cd672219cbc35a3742d1ffac118ea
SHA256576156d0592aecba142168cecc178e9b0ce2882653d04790ab8d3f18d54d38d9
SHA5128f4342e5688bfb64c7f587848db7f8fbc0e9bf980dc4000577663d064ea50d4565646fb43b9e51da46bf28635a0ae5d1fdb6063dee79479f02491179aa16118d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD580cd368ab21e1a99d14a1d15fd899c74
SHA1ee0246f67ad25966bb738a6630ee0be7c7306075
SHA256a60b01630b375b34208dcfd498f8bf0b8279a0336e171d2011837f1d940fd7dc
SHA512522d82b4cdf14a7aa3260746dd8a6151883bc1a30a3041fb50b321ed3b1413100a77153b5c1849b9b4d28475ee051692ff4bd2cf2efb0e5e2faf2dfc4d016b85
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84