Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 18:00
Behavioral task
behavioral1
Sample
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
-
Size
238KB
-
MD5
12e470cf2ab1d4b29fd6ffbdbb77a2b3
-
SHA1
d8b50f5e29aa03e86f4ea379603bbdaf3100f56d
-
SHA256
9c7c3e7884ef015412487f4715467908ac7a53b9d757ad7f059b8b9c9bf2d3fe
-
SHA512
51057c30d58e98316bcb54b5ecd8f8fa41281365ffae39375eb53b00a9418eff36f0a73c8241648f3e2e1101a36febb827792bc08da4574089922b3e8ff34fb0
-
SSDEEP
1536:YterT1w1vN8M/EfOgnPJceKBCwbacKHrTPKyzK/dRYwT5mlG6JZbCAPonGy4msV:YAw1vPEfOgnPJceKBDa1wdSAmlHbCMV
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2492 WINWORD.EXE 2492 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 436 EXCEL.EXE Token: SeAuditPrivilege 1412 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 2492 WINWORD.EXE 436 EXCEL.EXE 436 EXCEL.EXE 436 EXCEL.EXE 436 EXCEL.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 1412 EXCEL.EXE 1412 EXCEL.EXE 1412 EXCEL.EXE 1412 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2492
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:436
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4048
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD561c73f0889366dca00b1a960a109b868
SHA1014e7682b9232ba92e871b5cf4b0a56a47f39f80
SHA256a8c2640036b8b6fc843bc38eda48896da7024d5fa6941f62e1c3638805626615
SHA5124e3da074c4647835d8b6d3a90aff79c6b46fa60e96c972eef37d3d7fde7d1c09507bbe28fb8871c59e9925a0b55f7e9fb67baa0d0419f4c99641e4b1f98f6580
-
Filesize
19KB
MD59a429703423a727e72bc665013122bb1
SHA14ce512eab9bac30bd650b136e1dcbf6cc2a8d74f
SHA25615bb162dab5e896d7a22be893519bc8e3ec0e8588dc28addbc6b644ae758f8ae
SHA512d5c3ec9516d1d9a10b9387ce3fda0fa484c71738c76a91e3728eb75d6109270f7c914c69206edbf8307752c808bf2ec9f41f276f3744672a932364131cd6d70b
-
Filesize
88KB
MD54725b41bd2207864c568b82c2fb157ba
SHA1f4659764469ef5bc1c1300d64b4b93c164602e05
SHA256862b2f43cca4448555094353eb969edb1043be8b472a2d7344a41f47665be09c
SHA512273a8be6e0a1430c4d114407feb0a0b5ea034e87ecdeb4aad72b5d0ad5d4ce20b037eeaa5f67d8dd903a6abe73469c2b59cd401a533bc79a4519096e002fc83c
-
Filesize
8KB
MD5d72d0354cf1ea46e2ef5e07a0e880585
SHA14fb7637b92307666e7769f7c3bc1c80079bb6132
SHA2565dd16a849cb080fce04c44066d38134c331ca3016effef1b78b441fb717d43c3
SHA5126a76add9fd7a7564465046cd48ca412ad7b83fb01b275e3ccd4c489b479e02f20fed22f5f5d3e8b703d8a6c5029e712cd4d5ffd622845849de7d20de1e27ebc6
-
Filesize
148KB
MD5c8acc80c7646a1e725af76a138c8d346
SHA18d04c0da1789dfbcd1997fa86b422ebcd55c97a2
SHA256811310a3950a8729f0410bd1f3e8aa88f1fb4e1585954324ebc522333b59899a
SHA512449fc55a10482c98594b500c7c05f639d86afc36b944e99c62ea4fe42b9e8ae484bd54253ae77278d36732f5164a5aa3b82928fb76274f6b1021af0db455bce2