Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 01:44
Behavioral task
behavioral1
Sample
143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc
-
Size
205KB
-
MD5
143cb1d36f1f16b09762b6847822d06f
-
SHA1
726d6ab9d90892b7edf1d060af79b95bb124e277
-
SHA256
e1c6a68a2ed3a1047ea46c2653c60bb1c111c7af5aebb0a67799b0e8b691fc56
-
SHA512
8881939d0d50d1de73467e2202f819569e5830cc0277748eaac7a76e90c7f7657e335ceb6fa2733d3b99fa4d855a5dbbaebebd1314651aa82e02de32dbb1e689
-
SSDEEP
1536:NtPrT8wrLT0NeXxz1DwetHrTPByf5J8bzj+dD1d38pkFiowm8MbIcd1k:N2w3keXxz1DfNYkoDz8pkTd8Mo
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4760 WINWORD.EXE 4760 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 4992 EXCEL.EXE Token: SeAuditPrivilege 1056 EXCEL.EXE Token: SeAuditPrivilege 1272 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 4992 EXCEL.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1272 EXCEL.EXE 1272 EXCEL.EXE 1272 EXCEL.EXE 1272 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4760
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4992
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3116
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5d413407200f7f8a5ab13824f68e9d7a1
SHA1571ebc55231c1bf3a5718d36717890fb214a4a0a
SHA256c73133f8d458483e95e84bf92effd8de0e909819c7616699e03603e761f8d1b1
SHA51268f1fb7058b9239ae6851ec81f883d7df9726c203f5ac3b3391ac068d9eaec3d6ed7b642e8aca01a24140882cc3f576fbfef9abb23833133ff7d8dfa99ff2f20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD53626af421bb1aac0992125926ec9c1c2
SHA1dac14eae3e3404fb206de0d8bfc08746740947c7
SHA256b3505578612dade4139bedad8a820bb374c2cea02f880fcaadf5b09ec436b563
SHA512a13f49f4d46dcce671c23b62fb42af7dd9fdd83ec0be903df30c64bbd5622d78588470dd653405e9f7c50565af135d337c3ec1a84ef933b929e096fa14133e34
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5eb9d64e4c594c186bd8be2eff5fdaf61
SHA12632b1a3a7e36bf62eebc805dc6d212469973268
SHA256bdb225f4b020f49dd52610e1cd0422b7d36cc5376234a24d446fb4f28494db07
SHA5125e67413b0d2fa5717dd9a3f9d2c6d613279cbaff9c19627be966b565bd61407d068f67171d84fa9b25462ad91f325a161d4484e085dcb4f4c2b1cfd9645a7254
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58C39C7C-B0F8-4FDE-ACF3-56C9B4D274C9
Filesize168KB
MD53240a9d5aadfeb1ee8fc1afc74524c0c
SHA1b5c7f35ac0db22f705226721b3ca3613edc5ed69
SHA256baf76b3d065c963c4281b7d634757052afbc0fb627f94b750a2fe10a66d66fa4
SHA51273b61839d0263b25d1c05b6dbb6e1ca808b766be1dbaff960d75afb0453a1cef424ba04a9cd2fd45a389b7a29d6aeb702716ca97a00e83f6bc179fb53ef409c7
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
19KB
MD5a225d425e3eeea21e2d4131de736a344
SHA120502242ac43af434a529f0bd4c6e75157771e27
SHA256fcbbfa369fddf5f17a6652a17ac2b35b44ccff106817ae1f1d7247beb04e5e70
SHA5126c101067382704cdf810b03a9e8c7de8abc3ae3e04cf77f9677f7e0e99e4ea126f7ff877b8e6f5f334c669c143c6a5dae32fa3f6827cafc73d5a41c0035be009
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
4KB
MD505294968d85a20054e7f20ad6f98e60e
SHA1c1ace349d500bacc8446602cbd8ec69dc3b8a7ac
SHA256c6f306d073c032ba7c2faa3acbfea8ea92dd71f1424585df9faa3381b07281a0
SHA512d816ebd4bb7f99dabb35aabbf3eb47648912929c119e4cb850059a46bd4b4a80806a6944610a4c9a84220aa4fe8d3676234a5009c613e4c87888f810acac9d20
-
Filesize
8KB
MD53969b9215b5ef4159424c2e806deb71c
SHA1fcaa482c1ed3049275b17d54447e86841e0e51d0
SHA256ae3d8e5527ee14cba250cb6361aea334977280f6f671d22591dbf6f55c33f633
SHA512a9ea299868e08b2b36e5de9abdfed6b0af9fb650fd394135e83499c16abdac47971fce117361d222d5fe55cbf092877ce28498bebf4e9e5ae7eaf5442a58e55b
-
Filesize
8KB
MD5f1efdd9e467bc4147aa82f7f58a9e99c
SHA16539184a260def0dc77f011de259ce74c0b28130
SHA2568580d58f386e9829bbec83a8e79220c4e924bc18790c0047200d17d7ab0fe7d3
SHA512fa5005fbfeddf0afa43e90a1d65dd64a573ce7c1b6a5e8da0292486120c23838ac6931d5fef609cd05f5a224445471a13023586f49473cea5b7bdb0378036c20
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD543c08476973839b184d2060b5a753e27
SHA1dd1fbfc929d2a98fe2acd5d27267b7fdf0109881
SHA256ce49dbd8c0afa987d2459b2592a87f8a1f5383528ea663b32341dbdc4e1bdc3c
SHA512db60644de05701d914e652c444f4dd2ba4ebf5d79cb44367ef18d5554b25f015a8517a4e654479e3c9d1fdedd3c9122981768aca7aebda0a3583c0574a597ba8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57ab75981e00236f89dc9ef842132f0d9
SHA10971eb34cdd414a6690f742e99e99523c66f322a
SHA25633790dd9b05e33b60ac3759c9ea978018e278ef8690a62e0358c2f4c26f963d4
SHA512998649711c5ac39f33c49bbbddbf7f5e278bf461dffd1356d15ba27ef93ec1178d0cb95e77a00315e7979b9da32027f1962fc55e89c931eb0d9b6cf7f55865f2
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
148KB
MD50d7bfd2a2e1d947dfd770a8cf382ea14
SHA1e5a91a66cd6aec8eb4b89e58383c40216ec875d3
SHA256098f5a9715bdd0fdfd569611f6d10049d56959d6a3851f5f83e5b878ce723ee8
SHA512e881af231eef8807d877f82971dea24c06680458f3221bd91ed1364023601970c75b3ffcf2f3b6cdfa0d3487d85ceb4f7c4b094f9dd9f9f4d1e27c707f6f6c49