Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 04:40
Behavioral task
behavioral1
Sample
14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc
-
Size
241KB
-
MD5
14b6e358fa83990ded4e40dea72748ac
-
SHA1
7279cc1d21130efd443a0b4e5b12f65b1ee3d69f
-
SHA256
740e3991a1d9178a251a1f0fa3733182207382cc077818cfe1db2302849b9ff9
-
SHA512
8cb5eeb514497a783d88c1d5bd011ece7e12073cebd8eaef7eeb35db96deedced08985e5e92fdd50c6fd06e7b5ecd33d5c16ecf248b338dbfd414052fb39f9e1
-
SSDEEP
3072:Svw9HXPJguq73/IKBWySSdSAG4AaODz4wfyAVZ:SvKHXPJi73wAHUAG4if4KyAVZ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeAuditPrivilege 3316 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 3316 EXCEL.EXE 3316 EXCEL.EXE 3316 EXCEL.EXE 3316 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14b6e358fa83990ded4e40dea72748ac_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1520
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8363E098-82D6-4E81-B97E-01C296AB69FC
Filesize168KB
MD57edbc540f87790faae94e29f7c9d15eb
SHA137d76638a198d2640b8b76a9cac32051692d7ff8
SHA256118e515ce8394d35ca70a82742482d12580ff40bed73760fd05e49f0599986e4
SHA512fd0b357ff5c592815432820ddce29ed5eb5a50cda2b12fce566551d6be267c612f732ddd48fc680c11ab0e8272f9b981917f375361d39424f1c74692cd57c10e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5664f3472b57679776730008dde296e13
SHA15e8a5ecd1a1e5d6177c3f128d9a9672750913656
SHA2569412614eba3226480d7148d979a42c718db1fc55042fef2e03e4a09767150e99
SHA512e07bd660f9c1742a8ebd5a26f0c11702e758ad49e95b94a3d8d55d1413a092910e5999704b88b4954ffb49a4c10603c4a218bceafa7839d64f5ec0964b36eb60
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD555e82e57fac258007e92774c55e01219
SHA1abc76b37cca7c0443a838df971e75f2ed90c7ba7
SHA256040fe7e36e788261f9eef93bb94be6167c98ececf2531ea2876a6dbfc2d9b17d
SHA512e30798f57e32a5b6fcce0a47cef6a71bc606a2fc07472fff00a35398436d27cace5d37ae1b98615b8666ec7df561e179613ae33ca11c9e7ac29145e65ffc8d7f
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810