Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 13:48
Behavioral task
behavioral1
Sample
1639529b874fd4542fe764723a409756_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1639529b874fd4542fe764723a409756_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
1639529b874fd4542fe764723a409756_JaffaCakes118.doc
-
Size
242KB
-
MD5
1639529b874fd4542fe764723a409756
-
SHA1
e9b5c172ebe286d1c9f86f728491b789dd0198da
-
SHA256
3598a4e8f79938a5e94f6c7274d60d0f4670dc73856243ffd915c56094db2126
-
SHA512
ac574977a296574501e09ad4ce1821e698667b2fa3f088de5313f6edd74d966cfef5f4e9ec60698c0d6d5b18d745be5a893490eba3bfc0cb3df69fc9a0e6c4b9
-
SSDEEP
1536:9terTkw9HnXPJguq73/IKB5Kby0gchHrTPryiK/dRYpmXWDapCi9iy:9vw9HXPJguq73/IKBWy6ydS0GDk5N
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeAuditPrivilege 4716 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 4716 EXCEL.EXE 4716 EXCEL.EXE 4716 EXCEL.EXE 4716 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1639529b874fd4542fe764723a409756_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2680
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD523d741b98ac495727afe58fa449c2c21
SHA180d610de11a2814b3a12ae613ecdcf0f846d3f6c
SHA256f6363140878654e85081158acd1206693da03bcf71a2083500466f78be0b405b
SHA512851afbb5ebc3786ed08518b1f34c0707769dfa2a802d1619636631f09187f33401fcd7a220fe4426251a95ad75f6e0454a86d4e9ebf66f2d6e08d88095d2b402
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD59a30c24cab12d05f39b6bae121dba340
SHA1d1bc90e587b70bc85c7704ec0270b275af556c5b
SHA2569d0aad9dae588972a3614131f8eea46ba6feee0dcd45d94473c944c27770201d
SHA512849b6644ac67060a7982422203beb40ef51f277d05f964b7101e17ba8c2b796548c9187741a4332942fb53b7f95af153475c09c67dc21b982c20cd8427cab00f
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d