Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 06:31
Behavioral task
behavioral1
Sample
1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc
Resource
win10v2004-20240226-en
General
-
Target
1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc
-
Size
241KB
-
MD5
1109cc2af86d8f1938445e968abc37c0
-
SHA1
d8d05cd837412c2a6544c4dd431b62d413a67529
-
SHA256
57abbecb41daf1a8fe546034062266430bc58151d4912b97b2e7ccbe118ae317
-
SHA512
10ba11d7d41da9b1ab1a224bb9eae90bcd033083a9c422939fd9c5d570f32eb860383defd60062ff65958dbead890cb488084754b96b57cdbdc77ffc7a7e8fa0
-
SSDEEP
1536:5terTkw9HnXPJguq73/IKB5Kby0g4XHrTPpyUK/dRYy1n6AmIahOJMnZx:5vw9HXPJguq73/IKBWyUOdSyTGZZx
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 224 WINWORD.EXE 224 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 3644 EXCEL.EXE Token: SeAuditPrivilege 2136 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 224 WINWORD.EXE 224 WINWORD.EXE 224 WINWORD.EXE 224 WINWORD.EXE 224 WINWORD.EXE 224 WINWORD.EXE 224 WINWORD.EXE 3644 EXCEL.EXE 3644 EXCEL.EXE 3644 EXCEL.EXE 3644 EXCEL.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 2136 EXCEL.EXE 2136 EXCEL.EXE 2136 EXCEL.EXE 2136 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1109cc2af86d8f1938445e968abc37c0_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5384 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:3820
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3644
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1344
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5d32b3937047776cc4f4d9e8ccad8985b
SHA1a218b78f3a915bf624193ec038694799a14c3929
SHA256efb292ab0f529c741d7d38b12bbb9cafc99763cacec8911892ec10b6a355648e
SHA512fafee1eaad7ae3494cdfa1eb400b5bad7f04a58d8faf82d878cd4e2b2a725fb2470477a18dd9be8f4fcc0d430f15e6f5c4b461e305e64031cb6dbf44a53cc4b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD54d76b0a79d441623ee92ece46fb596eb
SHA16c51e0e7f293cd77eb100798682987f1d81d5f11
SHA2562dff1eb6a463b29cb32a21dea0b636874fdc9b246f7b6aa102962f77337189cd
SHA5129ce5bafca76896cf482db3e5878ff9c93cfd6ad0d86f00177235bd984c084b0bd6dcccbd3d0270f5e3c9b34670643b2e57867c9cca92785748aa2e60f2fd4e0b
-
Filesize
512KB
MD5b264b1f225e6267e1f3deb328741cdce
SHA12dc763f18df551c90dd4af8e382384dddb5f9748
SHA2567d87f9a10df53b037c639c237b9333bf58c794fdd59e9596b919c821cf0bd06d
SHA512443418a3f881619b0b6de8340c284dfdf1c747d9f202e540e88afb73e41d5f4a072a9e5187d5674a19fd441b56872c74bc2653ca11464cd353b3cc7fe6ba3013
-
Filesize
128B
MD57e56b31f2e1c53e6936444335b489e2b
SHA106975d5c62e8f61e1d4d43cfb980426c00a7f54c
SHA256596c3a90de6865d3a169edcaebe4568b55aa7eea234d2ec6df394a3b15ce87c4
SHA512ce0c025a71316edfc5150d992e050be6281584bae1f3a213c8c0cb7e9809c1bd2ffbf16caf9fa902751361fdd72e7358058f027969f3002d967894a38c9c7860
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DD4BAA53-CFAA-4B98-A0F2-3BB47CFB7DF4
Filesize168KB
MD5e673fce1092dc5e71e8c5ffe19b4a741
SHA1bda7c45e2219af2218d0452e59b403416b578d68
SHA256408d110b3b4499cd38ae182077918dffd06129b4c685c2a8db38776a700fdb3d
SHA5124be6f041daa0534e0d0011a8d2c6eb0c7072562005e6d2a33c16b77487dea2fe1326b45f306eb1af20b921b683e26818cfda91382c5c65dc1a8cf0c2ebb363d0
-
Filesize
753KB
MD55a4c197a41750e1becfb390029599ba8
SHA177e001ce3fb78c584bee8c21185b15a3e97b0e1b
SHA256d88e85b1e54539b6dc6c56bafa20aa80ce4b8cf0adda8ec4dc7a03e431803686
SHA512e00ebd241e8412925c241b4fd07681fea2f28c174edb85c646bed5e4de91ea3605e19ba2de7acdba3bd88164ef256af08097d5d9f71f89ed35b10e14b31936a3
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
402KB
MD50064acc53af63bca4d0f1d8de2cc92ce
SHA12a396770c5d38d55c787c04db986e8ad6f6a31f4
SHA25654508f6e10310c09adf4e3153facece4f47d9313743dad8c7e14c4a23eb78378
SHA512e96b2beb1c123bf0561ed3ce1770b238b8d407fd2679173434782b2ff396a5696610b8f27aec148b17e5ea7ad917b3e33919fbc5a10ab0ed8b264315d55670e9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD552b7d4c5c9e76a7656771c80a657bb68
SHA16d453203197787560aab555218a23a9c199642a1
SHA2561c266d8582e7ef9b3492ef3ff5e68269db1c200a992ae0952d3204fb3f15debf
SHA512a00f6e691245bc28378a34230f82659dde847314067325bc8d8b3c3e9ffdba6ba9621059576531de214f7922f10fda9780f3df2d65e17d61436e49017f5f37b3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD55efd9a908e0d5fa62ac54d933e73df81
SHA1eaf6cb4f04894b8992d51546b98833c91ae59ce8
SHA2569722faa34762b09d55e435b83d159a3d700e776068450bd85c42d57bbc1aab02
SHA5125d6d8902117ecdc5ff3f1f9048001fff44b0cb3080384b971227732292f419159f54e8f06994b464f92d7dff0f3b9ba2201ac719e7e75e7e190c0c17ee745b62
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57c51b22253ea2d5ad3709ab37b15f176
SHA1f192ec78bf5ae4125b56827f9ef5e7a7cbb2c026
SHA2563fe0319dc9158c92e6b9b30569d7230dd87ff15f9852997da714813a5707d76f
SHA512a8ccca7e52f5c01de2de464a6fe9817bf920c876b9202d057b1ef20e11c29ef08d0d25f7b823dbf31b49ca4ef20a0e218faee0aae52ccd6282d3aca66a45f84d
-
Filesize
148KB
MD5abeed41c20a3a1255c0e48cca513587f
SHA1be20a967e3d87afed9e94355638892ad5db2fc86
SHA256e4340ddbdf134956526d346225c2f4fc0128b12e343838690ea20cd184793839
SHA512e77557074f761959db3978df08c08d6c33158869e176621bac520fe597d80b4cec645e30b2a41cf6e14e1915acab0eea0c89f8755e19ee03067b782a93e907cc