Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:01
Behavioral task
behavioral1
Sample
17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc
-
Size
205KB
-
MD5
17af5fd0abdcf35f5755cb8c78080a60
-
SHA1
48e2b3435afe4d7c8de78c16ede4823558f6ebf4
-
SHA256
0b2ddd1c2bd35706570539de72475504fec9d4f2545bc59eeec4aabb8fb6532b
-
SHA512
7420a2678a63d568da3416e1f639ce5f826acf159529c14194dc17303df63cd211726bd49f5c841565fef4e55a6f0ebdd4c08d2fcb23c13270c206ccd7554fe0
-
SSDEEP
3072:o2w3keXxz1Df4q/Ozmma/yeJ3eatnxsVkd7q6:o2kkeXr7sBJgnRd77
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4708 WINWORD.EXE 4708 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 1796 EXCEL.EXE Token: SeAuditPrivilege 5476 EXCEL.EXE Token: SeAuditPrivilege 1648 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 4708 WINWORD.EXE 4708 WINWORD.EXE 4708 WINWORD.EXE 4708 WINWORD.EXE 4708 WINWORD.EXE 4708 WINWORD.EXE 4708 WINWORD.EXE 1796 EXCEL.EXE 1796 EXCEL.EXE 1796 EXCEL.EXE 1796 EXCEL.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 5476 EXCEL.EXE 5476 EXCEL.EXE 5476 EXCEL.EXE 5476 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE 1648 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17af5fd0abdcf35f5755cb8c78080a60_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3824,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:81⤵PID:4860
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4564
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5476
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f479fc73fa1be80384599b9c7cb0dc2a
SHA1a01cc9c3085eec8ed08881dc401e6429166254e4
SHA256354aefd66c10c97457bbd4839ed13bba891d545bef04b7e6a2330e8d653668bc
SHA51296721444174117a272b59179d3774144d4c4d78f6493d37afda9489ac1644aef91908c8bd1f00b27b78cd4a2d69abb64320286d8bfd897324e95feaab5c3d56d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5ca2d563291396b433a5eb6ab508eb395
SHA1d70ebd8b890b20e744fee6628fdc7debbfbe66ba
SHA2561331b80fc1338b8ad7b3774bb4dd33edd7ca0102066bddbbd6ab7c99f8666732
SHA512d7d236a0919fef9bb11c196d0e1e865b3d2a98143d70df8104e901ebe4a6abbede80e06350949df2ad6ccfc213e48de9ae939829ae976ea798ec93b36cc1c041
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD572087f63de50512e075b0d5da481f726
SHA13a89e4b7af1116abc63f0db23dbd49b974dde5d1
SHA25652f9d113d99083a671b2e6a5ad689292b8cf5f1c6b75f6eb3c897f84698721db
SHA51278bd5a5d05ca6f1afdf08b272fb59599058f31805ce60c9f2d94e08dfab7c6144d77a09b218944b621f9a8c3635f72167bc0fe08108678eeee4c26233e0220fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD580975212682e8f3cfdc9e76c36352781
SHA12f7557093b2087aefccc43bd5004f626ab0cbb4d
SHA25683f25220d82043e3ea7f25b07ababa82d09fa05654e652d185aeaad3de3d8629
SHA5121895fc71f5302a12e215125e6a2419f5c458a0b2123e1b0307f1d243657640ebbb7037c60941d0e4e9357bf6b9d8bcc6bae877618f74c295bfba45d5ee08b272
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD57d1f7652ad75ca08ab493da04da9daf1
SHA1317c1a8c9a5817fe3892fd9140ba832591480ac2
SHA256a628d1372c59e7e6d63f9f6ab6099464697ce3fb2e359239868126ff1db5f3ba
SHA512b7ecac896bc1a523a28296113327cc85019f7f908fb1637919faba05c1de5ca104aa4d50305aef55fe4f40c27cb53e845e57248a36c379869359d84cc26eace5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58DC1907-9B12-47CD-B40C-457543F5552B
Filesize168KB
MD55cd16b81abc1a848a2f0f47b301c8907
SHA167ce8feb333a839862808c5857c97cf19b8114f2
SHA256088c2c3091a55aa5e276026a3181d538f4a25e376017234344decd5c160ecf57
SHA512b47d51ce47d1f191bee3c5976d05c25e8cce1c38ca1d55950059251cd6c2043bbda01829b10a437e52059db444a01aba60c97679aab06d7741f0de7db8bf328b
-
Filesize
323KB
MD5ee7dcf1eeeb5e62e14b7cefc3d380ed7
SHA12ea854d606150cca70a1abb7671c0cc7fe09e975
SHA256a4b4b281c84b5470523f7295d3ca6038ebb3d569c0af3b82fdd85a2bb99e765f
SHA512a3ed70c6e2d0ba28482c4a78c34ca395274df44a7d4910748508752b46528a0967939e6b5e1d8935c5725ab94f1dfd7f69be0f4b82378bfa3d0fca27d60a23ea
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
20KB
MD54feb25fbff9e2000607fc72a690dbfe6
SHA1b56e3f5e9c58f37665d0c709ad638dda9e0af34d
SHA2566355c26effe3c8c9812a8584e12a2ba36e54b4560c21571e8baec70391fdaa3c
SHA5124b4b58cf9b2c650760f26cf9a8857e7aaf24900a380b081885b15f60cfe54299bc6ddaa2018608f743fabe8851097eb5e29e41f732ff96d27d1f1ffa21a67151
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
8KB
MD5c3af0fc4df0e058f2113f1b23a315d84
SHA1a6b3a549a3beb4e83cfa37c6774ecf9bfee29d62
SHA25607d096502d54db8d624ae1b5c2fc5f5b93a827342f28a199d63000dcab815405
SHA51210896fec17a4ccb5531e0a02b7828d1b7b8636cd0d573a2c295f46373526b1b248e1de50a030d1cc42e4f8e03343f7dec8ef1bae9faada6305eda4d3ed1003e9
-
Filesize
8KB
MD53c85659456289cde0e1c5d63bc79f511
SHA1f70b9f247170b424b549dec9b4c4aace86a23060
SHA256406f99fa782ec03da3c3589a686f26ff4a1ef551de6543383e40c902867384da
SHA512c2e4d1999fd71b00788047a646b49613ff3a631070ff2a9019e05da924ef88a4de282e57750e246928d3e15267413e5bf779d5292e5a7903003a7ad65002c055
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD539b0a2a209584a55cfc11ad8e3682e5f
SHA1f635b3493a36af1fbf9dfe0c4ce82caae61330c6
SHA256f91ba50b279d016f69ff5ae3340c4397baa564e7d5932e98c0c64800dde9743f
SHA51290f1a5522e2771807b499f6b684b61e0e957e4eaed5ec2e4e8c38341c5e05119f938d8cd94653752cd646cf8cd9b35bf747bc4802afae152b19c33887a748666
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5b8e3c3d3aab6191a57f3bbf8819f5e7d
SHA11e51f50d60cfcd7d504a2602f059b8f3c14fcb59
SHA2568f66e3d595bcbf7c256d4a1ab1f1439976408d9f5f6f70df3efcf57f0b50fc1f
SHA5120b3d2f1a3e6faa7da5c247ec38f3b3cc32d4a1e77f72bc207b661a6142a83d85354e5876443376291d386c4e16a1380d7460fda5c548ce43b8cbf80789fca298
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD524b52c6ed6744196504beed3bce56a09
SHA1c8f0fdbb249fbfa778cab6aab1ec48f0ca053cca
SHA256dce3dfbadc6715d9f37d59f88419d5b1db3eab3c9322654ac0942e8b4a68dc03
SHA51234bb9343d67dfc0114e79277b55a22582ecedcdb167b130a327c60d90fc54218d225b8e8909007cc031fd596de50e44f0adcc8b5dc27f00f1aa29b702afcb00f