Analysis
-
max time kernel
115s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 18:19
Behavioral task
behavioral1
Sample
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
-
Size
238KB
-
MD5
12f2ae873e891c0b2b43ffdac7f7d43e
-
SHA1
d0f481f1a01470a68c0cb81ce3e491689c741dcd
-
SHA256
330145ed03e314fa9939713c886f49ed7670ea82efd3de2c2263f1529736f469
-
SHA512
f9d99d6039437715720d32dcc86eb99e3ce20cfcf0bd3fa6c34de0215c93bc64dd1e7000758cb8d67c0bf034a83e7076d3376617f2ae94b078e765e014c44a7a
-
SSDEEP
3072:HAw1vPEfOgnPJceKBDaUGdSa9/LS1HPzVV:HAKvPEfrPJBAyU8mLL
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2468 WINWORD.EXE 2468 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 5108 EXCEL.EXE Token: SeAuditPrivilege 3256 EXCEL.EXE Token: SeAuditPrivilege 616 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 2468 WINWORD.EXE 2468 WINWORD.EXE 2468 WINWORD.EXE 2468 WINWORD.EXE 2468 WINWORD.EXE 2468 WINWORD.EXE 2468 WINWORD.EXE 5108 EXCEL.EXE 5108 EXCEL.EXE 5108 EXCEL.EXE 5108 EXCEL.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 2404 WINWORD.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 3256 EXCEL.EXE 616 EXCEL.EXE 616 EXCEL.EXE 616 EXCEL.EXE 616 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2468
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2404
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3256
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD512bf89a8348413b9714f1fd4600ba482
SHA1f0184616787b9f41be00128271b85356dfcbb0f8
SHA256fb240e1c9a1a6cdd988c31b505cd02dcc7b1eb7472ea898d97bd004672576013
SHA512cbe7f58c191b1e8f6cb8f12b20f9df1e81174dff11c0c54f8df315d2b87b11ec7e1fd163c5e4d27ac34c19617e7091839d54b115720271f202480bd57f7fcb93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD58f9842a73d32d2b194917b9a8d818124
SHA129c0e6238c79864b4d10f8bb8413e8abdf655051
SHA2566d276ce5fe6a3975a398e98728ad8cf9736e5de0b8f10d181991700c0bcb6b06
SHA512b37209807619a9453461b1e2f17313693445de363c943bf6203592db1ea2dafd8482269da2ae8191e1dc699caf00c58fb04da9206a9d843bfc03db168d5725df
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD51c453f03da55413dfe132c321f616997
SHA103b9a430ac7288cd55fa816277989c3ea9e1b315
SHA2567f6af9f2478986f633512bcc73c31b994f47d830130069e353494b06990b94ac
SHA512e1b2f26fcbc8555dd7a7d19cd935bc80fd8137945c4257608e05bd669622cd0da8934cc3b77b9e2f52084bc6f92b79ccb2a9c5c14d8cc2738d0fd28e0f41f5e1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A1101530-FAC1-451C-8F62-F89212ACB65A
Filesize168KB
MD59e551ee302418e3198a6470c16d03348
SHA1f6235d8c536fcd1c4445ec023d72937960e9abc3
SHA2562925b728f99d74179f5d2644060854b3970a92a97f6490dd43190fd0aabf2dd3
SHA51245a237f7b913e85ed319aeca257a4c6bf762e36799d1557d422c1429b2aca41199e54e30efb262960694aae12fe1847d9b1f28adeaf09451d6d4c29c01dc02ac
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
21KB
MD52a8db6d2a279e9b8523fb0cceaee8bd7
SHA14687eaf24828cff0059561ccf91d4c1fd50996cb
SHA256290794cab69c6fc33f24ebced9cf33f59499d59e6955a0f5664ba25c901d0772
SHA512b860f0358f6b4c904d36de47cf66fc98710a07f076c495cf366668d2279becd1ba3060eb5d438652db8a07dd5c8a77f7098f0486059e7d908ae1fff2a9f107c9
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
4KB
MD594a1348465ccf624494bed5e53c04de2
SHA165a1e20ff0f4ea6d11cbcce78cd6aeb54b23eac1
SHA256aab2b60400e8f7c3c24da01cb84c2e1fc69a0732c8d6baaedeabf18a0469f8f1
SHA512a8a12c8f8894cf75d53111d0b2cf04835320469f446e042086686cd3fa98f3662be7050aa175051e3f9a18727fb4ed6fb0b4a581e851afb244517b33dcfccc84
-
Filesize
8KB
MD5fee3d6ca48b2af45a26c2db88063885a
SHA1cc2f9cf4438b41c4c7efcf1371067ce207f68623
SHA256295e2dae526dadd1202f1a703843367e9c9e70b3bad07062c6d19bb539d83cca
SHA512b42d7f44fdbd7e54518a0e8d3e94946349e74e6857a7c75fcbbf9e49a990b2bbf9882d083fbd602bc6e9274264566d7a8c38cd9a1db5b7ec62acfe06bdbb635b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5108da86fa2b58933e996d419bae844ac
SHA11d6dd8fd653f00c71d6174823c7ac5f4cf834bd9
SHA256d1855bf0cb1ff6e683f5602c4efa0d5fe6bc7797b1bb359b18702f36588953f0
SHA512e0a3898b3c9f5ab047fec111aa44c4bf2779b6da73e3beb601328cf5c24df0b10f3d876b597eaca4ba9aa44908ef2690f50603da2c6c8da951fece449993bd5b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5af8e358a8a6bdd47bb662543fb1f23ad
SHA166e0978a0002b5d9504f30dcbccdb9697da784f1
SHA25641f929e555fcb61cf6caf4e26915d3614675fb52cf694ddadeb06f4c2d08ff5e
SHA51273d860e124f2621b187fba3d5b8e777b34399f00c16e5a6b5259757e29fd7b759e7ef6438b4ad5d8030e7efdcdd680b5e59752e5c12782dec17eea2266addfd0
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD588707804e183e1ac235179482e782a51
SHA1cbf4153d773e3eea8d4b717796d202ec10e30e45
SHA2561b206f0cd83a02616fd61d834907428374886df0a9e77ebc705f71dfd7be6bef
SHA5126b83dff768b66a6aae05e9d793259dc04436d2090ed68fbfef8f079b432a2ec0588636d9d29ef245ccaee90c189c358b181b804ad27f541a09b246da3487f753