Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 00:49
Behavioral task
behavioral1
Sample
1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc
Resource
win10v2004-20240226-en
General
-
Target
1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc
-
Size
241KB
-
MD5
1414c7d6863ef79a8878e10827c160fd
-
SHA1
fa5329e778b093e2fce434a3186206cdbf36a966
-
SHA256
a2b7c46680fa78c6b81870b168e3bc384b7b88162825c89c6a83f83aff0dea8a
-
SHA512
73c56958eaed34e107e4320d6656f6b90203284eadca29bf7d84fa97a563901db62438639799b79eafab49f5b0483e78cd9d41cfa6ccd0219b88f48df9f3483b
-
SSDEEP
3072:7vw9HXPJguq73/IKBWy+QdSWn1duBJMhY:7vKHXPJi73wA1UWn1gJ5
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
EXCEL.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1072 WINWORD.EXE 1072 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 4952 EXCEL.EXE Token: SeAuditPrivilege 4904 EXCEL.EXE Token: SeAuditPrivilege 1236 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 4952 EXCEL.EXE 4952 EXCEL.EXE 4952 EXCEL.EXE 4952 EXCEL.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 5040 WINWORD.EXE 4904 EXCEL.EXE 4904 EXCEL.EXE 4904 EXCEL.EXE 4904 EXCEL.EXE 1236 EXCEL.EXE 1236 EXCEL.EXE 1236 EXCEL.EXE 1236 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1414c7d6863ef79a8878e10827c160fd_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:764
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4952
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5040
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD500c48aa819dbe137d55dde5b2009f124
SHA1f834727c83fa0d07ae014d59592147b32f946055
SHA2563ea61c94b6decd0f5b15fe9503e0de17b33dff1d29d31dc74a9ceab76fe265d9
SHA512340927c0089b4fb3aff2ed918fd0cd101bfe4f0d0ab21d5e277ff1762b753af4490a6e21ce55c75ab019b880cba56ef9ec80b377de09667bea674884ceee5a6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD555d58901e981f94a88cbb47b1a27f0c5
SHA1f93b9a3a6f412553767b99b0f3cfa1e211f6b1eb
SHA256ef42544afea162fc0820008658290476113ec8c06a2d36a432ec33ce1ff282f0
SHA5123d468fe99702c12a87b480053f4609dddd24fd1085eaca0b60928608d4782fdc8b00b960033acde30b2996e16c14fb52b338426157eea4de789d7f2d10fd2821
-
Filesize
502B
MD57286b6fa5ebe08bd551dc8ee300a0a22
SHA122900fa0f6bc32b9cf7db5f971f463b689edc394
SHA25648657821ca27686756087f11c3323660fda4992190d54fa242e9eeef37a8adf2
SHA5129ba2f49813f5db8af83f01ff1dd3230faa4ce2da96d409abd3a3a4841467bf7c72e46fc6a03246ed9097f274843cdbfa1a872581f3c2ca9c441d0d0d0b091a1e
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5dbaf01239cf079e25bef83c1b78f6c47
SHA13fcf01789953174597dca350c31253578c61a719
SHA256caf006dacc1f4acd2929c731af4fb45ea308c7b63953f5000b29442b4714702e
SHA51298e7b9cbd881ba1d6f6ec5cb0d4e63b5c5008025ce557d0f82a2aa5858e4a9e3eaf0571910ee15847c0910fb881b7cece612b965192bb9af2ed311b86a44abc4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A7AE9997-195D-444F-AF5F-1ABB20DC9E42
Filesize168KB
MD594178173f19b0e8eae8f6380041fac38
SHA16d2c4b29d7a8d7bb0e2ecb8e3e6593a2fdd2be84
SHA2564594a119465ad2d5828399b30c137111e19c78d1cd07127b5c6c773d86b25095
SHA51216484fa8ebb523d18c3933c06a2655c1e8388038abc291d873dc3d22ea32a04df934993d326ad8d225cf4d21cef7685f0afd1ed763d2369bbe386a7c853ef420
-
Filesize
718KB
MD544b07deb0828dfa29638364defcb558e
SHA1673ef6822f4f39cdb4c6297cdf1ede4ff233347e
SHA25637d504cbf34ce8a56cfc471e494583232b028189c3edb2b2f708bcb08436a20d
SHA5128091255e8a1796f42db4ac30ccb74d222311d10f3d30bff848aa938a13bbb16e6cc15e88b7cbe5ba3c02535de880e44473fb6cecc7d6d67dbeb3e7e1339f2c13
-
Filesize
753KB
MD55a4c197a41750e1becfb390029599ba8
SHA177e001ce3fb78c584bee8c21185b15a3e97b0e1b
SHA256d88e85b1e54539b6dc6c56bafa20aa80ce4b8cf0adda8ec4dc7a03e431803686
SHA512e00ebd241e8412925c241b4fd07681fea2f28c174edb85c646bed5e4de91ea3605e19ba2de7acdba3bd88164ef256af08097d5d9f71f89ed35b10e14b31936a3
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
402KB
MD51e83aaa0767565435de4808f73f34ee5
SHA1232dd54e74c9dee91f69e93044bc18bcd56d68b0
SHA2566de14f1e26ed2192d027acbb836f765d6c0d1a9b2b8753ed02464696ec15a10e
SHA512fe58b1a4a986959b066f7aeff826716002c1c610f8b9e599bee256fc114a70643def44e8cbe91bbba3ff8bfe948113e7d24dde91b4b7e29a678d19faed241d69
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD57d4ec2520782963369d0080ef1a1625a
SHA144279c4b1ba5611ce664549918d1457be6cef067
SHA25674bd2af952dcac496d6341cda5b742f9b237a59bd9d0daeb0bcbc6908572a768
SHA512f8b45e386d8f0e004840b2ce180edc6d80c74f679607ddcb284ad81d3636d8935c1d65a54853ed9c1b1c752baa7a5f8cb729b5f932d16691a9f9f50ab9194dd9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5fa6abc51dd02b0ae6db7b6295200da09
SHA13b601722d971c8ddc98407ac322cf20a0d9b0417
SHA25669697ab8efd28d30057d566a0bdf0644bb333aeb0d0c9f2ecc8eba8e08d50987
SHA5122db1a15f171cbb980839333bdba1e8c127cf0f9000a8b967d77c1f4660a265dc74fb8ea5d117bc5eeec5d08d4b216dd88d6f67630a88887f1c3d17e0d7d560ad
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5ae41b52ef3552add19eb1d1158b5bb29
SHA1f6bb2f50b3bc0020e1676e2c5dcee4510f8a1cb8
SHA256bf1351686ef8827ae40e0a7c4c991cec15ab69cc29f31a35135a47eedba620de
SHA512e6f09c626688dd0114e9c19322ac104ddb3145fc2f25db22857361512fada37464de1cc2d4876bdb8b75b96338f540a83f386305c490eefa3d2bc5e15c9d968c
-
Filesize
148KB
MD5a1610e4656958e4c51f34c97d75bab02
SHA175dbc15b2e998df537af6a76903b6a3f5a61d326
SHA25684e79830c91c11cb7232d5a2fe5df4246023c1d0eaae5fe0a2f55ea9b056cd50
SHA512d4aa0d5b7b77180c6bfd9b68996fd127a0e11439d24233cf7ec2fced303dc8a1fdcc86bf8c1da978f3479a2c4b6e2996e3aa3e4ea4397b754c676bd8ff592934