Analysis
-
max time kernel
109s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 01:06
Behavioral task
behavioral1
Sample
1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc
-
Size
205KB
-
MD5
1420ec37efaf76efa52ef5c6e34ebcf7
-
SHA1
93ecc157cc3d9bb74f0a7b8ddf549ffbb8ec71d7
-
SHA256
7dcb09c89a02bd8fa61973e60b74d9b3a6e694ea50701efaccc379e7ebd6e21a
-
SHA512
6b72662d8f6d8433402ab1f942e32900c22140d5ef6fdf5cef1be4bec37d19f291b6096bc89aa29ca4d929b2178446c6c1144fae0563848e603463c5b1c24313
-
SSDEEP
1536:3tPrT8wrLT0NeXxz1DweYHrTP3yZ5J8bzlKLDGUtI5lvCOxempK+C960WRW:32w3keXxz1Df0wWsxmlvfxvpCRF
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2848 WINWORD.EXE 2848 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 4620 EXCEL.EXE Token: SeAuditPrivilege 2216 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 26 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 2848 WINWORD.EXE 4620 EXCEL.EXE 4620 EXCEL.EXE 4620 EXCEL.EXE 4620 EXCEL.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2500 WINWORD.EXE 2216 EXCEL.EXE 2216 EXCEL.EXE 2216 EXCEL.EXE 2216 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1420ec37efaf76efa52ef5c6e34ebcf7_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4620
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2500
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5ad16c4fe3416ea9db31dc0e8e1f61075
SHA1875a15e98223c377b49e4bd6f761eff730ae3773
SHA256f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD54fbe03d48dcd1d447945713f2451c6ba
SHA126f051873b764e2f3e35cfae1ab0d21a3699f8ed
SHA2567230b21342a38b36ee323e62b4bc9aca18d7513ec1bc8f195135dcf45e616e2e
SHA51237df5caad38c08a06791aa83328b7c7429a7ee8f45c60b809ca98caf7ec09938b25df2dc889ba393e45c994dcdbe0d6c7e479123acc16317d75db9c517ed7fbc
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5dd57c766d77171679c2b8e44fcfca67e
SHA1736690d78cf1ed78c8325a29a663336f806fef63
SHA256d275c14e1f0f829fbc9bc652837457231f9b525fc48f3fbaff9b06ba31c41aac
SHA5126159b938a8838a2328a64f1e2625463351d88e0d452aa542a3fc0cc87212b200f0c4a6166e094341c6abc3d90bdadd8cb2ec63e4a18ff6f868927124940bc71f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\21CFE5B8-D207-4B97-831B-F36F318A7DBC
Filesize168KB
MD57cb10b673c797a81d72ae98e50e10b4a
SHA136725d8edfd66773d219446e972edaf2bae2286e
SHA256c72c472206dde90be38775ee04272c9209dfb10f789b08c9c6fc52cc6ac6b35e
SHA5124194587f84ff0b5b6dc2dc16a8f28ce5a3523ca24f5ce1e362ac7814d0c837f2db9d7892bc973ce24d102a30fa0b2db9cd292bbdecf15ae7df319ddf6b0bb89f
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
19KB
MD503cb91ab47f10af44b593751a1ec10f2
SHA128e1945061fdc50216b6a9f2d49fd15fd13df731
SHA2560472d3a5f8e1f48f90e566aeb34f0d8ad9e6e795c9dd1105004f055ba4dfda82
SHA5120927c263fc5201b3c18b206f70e474a003c9a0b4cf99b8ad92d6bd472cde99c0da8f8a979899756cc836a98c11b3997e216827b63b0169fc974509052e84922e
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
8KB
MD5bdce778bb8fb6fda105be554e90f1328
SHA1fc7761f645666e6215abfb328e35ab5126eaf3f4
SHA2563a5a74e3f64286fbefe9a06c49e328895f9a82010f80a5483fad395313fca699
SHA512d5a1b2ebcfb3c0be09152ce97292293c00badc5b27a4d3ef98ee23e8a397cd9dafc23eb7c6c8e987381db0d2b3e00de64c95feb45bb3b387113c8da17d1ad5e2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a170ade00df59b9dc594134d9957d48c
SHA139a99da749fdf88753619be15e83cdb5b32eab70
SHA256139d5810295891cb235deb92fde89bb7b0bcea3659a5ea04fe51dd86af0ccd67
SHA5125ccf1a6742290ea27782a0a18b19dc2de624378da16cede7d50798f502bcdf10fd1e3a2a772277e78101b0e656fd6658d033a4be07c6f676e5eebccf1b79e549
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5fc92f09cf09342c7294965ac6d774e46
SHA11f15aa16c6791e546cea811c5f68b708bfda8770
SHA2567a1d89979986dde78e0153c49a9f112722d864fbfb15dfc50a7981ff7977018e
SHA5120ff387f10c41654ade60a12e154b057cf20839f299218d9a2f75291ea57fe723e4022ec5ca9331b30c15f1b125b6437e210604febe8b5ec4da84d87f1bd86776
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
148KB
MD5c62174f384021417ea41c332f869243d
SHA1cd76066eb54b862546fc82c2a66bd352fdde1e01
SHA256f4d297d36f70ca25cd1979cedae86b6dd13495fed5c1957ea6ef7438f8f7906d
SHA512bc37d1e9a79a9ca70c025de96d409af8925c86bd43b07bd351ef71c63df6957121025062f7a15076de36d5d4d532944e86913df688712df491f30b32717d4d23