Analysis
-
max time kernel
107s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 01:47
Behavioral task
behavioral1
Sample
105009eac4890719b2811e55feedd52d_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
105009eac4890719b2811e55feedd52d_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
105009eac4890719b2811e55feedd52d_JaffaCakes118.doc
-
Size
132KB
-
MD5
105009eac4890719b2811e55feedd52d
-
SHA1
eb1b641c9ec0f4f0fe7e0abee59e5aa187123765
-
SHA256
30f99223ffd816be005e624575e8b4c1e7cb58951de9eb165e554139fa00e092
-
SHA512
35e0065dfc4fb856a49b1a019ac1e0d003220d6a74a66e679dab20b7fd994cb830cab73417e774d2cb5ca1b980eea329186c11ad9805346e05f9ba1a2555c007
-
SSDEEP
768:X6WzhXbXI3Lyb3PodHPTT8By+BFOguu8z0AZxvm8j12ob:d5b6LyzgLTOOgH85vfhb
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp office_macro_on_action -
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE 4988 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEpid process 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\105009eac4890719b2811e55feedd52d_JaffaCakes118.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
151KB
MD534550d36c85c2d3d4ff5539eea54bf67
SHA15ff0888f82068ec43736fbad566828a93e218176
SHA256fec08e3e5a6ca0f3328dcf8112978f15a256f6f774f0571131144411fa75ae2b
SHA512c2de7cea5841ca3e4cd09e5dec798d713d0cbda54cebc4c7de194bc5fae2d7ee69e89d4d3046aab3fd30268677c98c8c19eaf0e8aac284ace9a0bb770ddc48c9
-
Filesize
46KB
MD557cbbcef68b70c4dba6147fb99ff6427
SHA18f00e69d6702c324bfc8ad79e88fe267f4df5987
SHA256f44198d317f95ba6ad03ba7b4cde60029bc249d69bb81771c48969ed28feb7ee
SHA512688b5ecd160ef8c3fb4a1c278bd904590c9a80570810f31275b81b733b81f935001991ae795eff2d6a1a7ce8672a3f01ebaea893e4b788d6b086ae63acd36564