Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 13:06
Behavioral task
behavioral1
Sample
161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc
-
Size
204KB
-
MD5
161c3c7e18e408720c114f8a876f35b0
-
SHA1
f60f0bb2c7d54d1d224b4444386bdd1c88efc8be
-
SHA256
d19079e9f888e919ad866cee089a400b123b995ac14a17c79d033365116bcff0
-
SHA512
8a5e1ac7d137a2e836d44f59282d8b8d08667a3fc6aabf1bee21bf2753af8b60ccdb692b2add6f9d739fbf62fbb3bbe08b05a087754d010db7a4e3b12b399098
-
SSDEEP
1536:wtPrT8wrLT0NeXxz1DweYHrTPqy45J8b1KzCy34yS5QqFf+lgvuNtymq:w2w3keXxz1Df0eGvKSeqxzCq
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEEXCEL.EXEpid process 692 WINWORD.EXE 692 WINWORD.EXE 3520 WINWORD.EXE 2148 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 4420 EXCEL.EXE Token: SeAuditPrivilege 2148 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 692 WINWORD.EXE 692 WINWORD.EXE 692 WINWORD.EXE 692 WINWORD.EXE 692 WINWORD.EXE 692 WINWORD.EXE 692 WINWORD.EXE 4420 EXCEL.EXE 4420 EXCEL.EXE 4420 EXCEL.EXE 4420 EXCEL.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 3520 WINWORD.EXE 2148 EXCEL.EXE 2148 EXCEL.EXE 2148 EXCEL.EXE 2148 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\161c3c7e18e408720c114f8a876f35b0_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:692
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4420
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3520
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5ad16c4fe3416ea9db31dc0e8e1f61075
SHA1875a15e98223c377b49e4bd6f761eff730ae3773
SHA256f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5ea81a37a9704ad26c447b8cb0795bffd
SHA18568da4210339076c16acf3f3da0ee91f4f20af0
SHA256e2ff85e50f630895b5e320ea969c972d4d04c3c8591d7e5a4d074b9d0a775f38
SHA5121d1625982371bd5b6db59ba904337dad22a116a937a9580a96f4b2a26d1762b0ad6b89743f3c49f6d2445ff4dda8714e2b095aee472f4d17b25fbfe140155c84
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD56a8384bb7f672d5333456694a10179de
SHA11bc442448adfa4c00b4147749ce9890b2d9cf25f
SHA256959d3055a59fa341899d0db75adcc85eb1acb64e624488f3b8a83abc4babb588
SHA5124b8d40b4249b082f338af7f73ffa67a35a221e412e27cf00581d2b87913447cb69f94245c7f202fa0eb07fd4510ceef4d46390ac356f01060cc183c3aaf80340
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58978085-5D30-4BDD-8D18-9700F1D50030
Filesize168KB
MD5f02287a21c9e5f9735aa485ff15b2b04
SHA1800304ed261c04df3419e9dd6a8986f954112343
SHA256b98677598d5999ccba3e08f988524770aefa57ac10f5fcfb7b76f463d4c0198e
SHA512cc2f716b6938d3eb0fc7e67fd8bda5773f138e3787978be324981242bce9b42192761d95694dd24cb4dbf91f94553ac07db71dd2912312f36e29084166ad190d
-
Filesize
321KB
MD5edc5bbd89d21bff468e2b1bc6a6cad11
SHA1b5a3588cc1c3274357eefae826f9de1876e4def4
SHA2567c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA51257c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4
-
Filesize
332KB
MD5874e05073239ce46fb73138f72a0b502
SHA16c5cfb40cc141c26048fd1c06986983e21db47b0
SHA25618200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA5124650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58
-
Filesize
21KB
MD53f8b914bbbdf88af206554cacd078515
SHA133fa74f1935a4fef4bd12e02ed64db79606dd266
SHA25638791c15886ca0ed2fa587511a1149f75e51a8048ee1a70d4190468a87e69228
SHA5129e83aae616eabadd9f9be4c5edc55113d66feed2c3d4b2a868ca5ed38cf56cfdab2611195c54aa55f2824541265126ae79ae94ddb5c86633b79b8af479a35024
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
8KB
MD59b459a397e65ac70bfa935c477ed4321
SHA1d3126ceaa6af728b087c0b9f47a9cb36bfe23a2f
SHA256f3ef3610f8642a2527c8d5b1872378c5e2a0b67fd2be86f1104edece47af6435
SHA51244ea0cdcbe3a4e5bd62a03e2c1ebeb77cceece62486ec7c2ab68a772accee48201ea8766e84098d25143595442c327d1ae646166c615227fff0962ad8856e0af
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD59ffde8da8686265649463bc1abcf7648
SHA1d7b9c0e717796bf96ba19c78f9d39528ecd12099
SHA25670bed912af6ee8482d131af41dfbb33d0d1bc2a1bf953435394dcd08bff099e7
SHA512cdd70894e891b842078a6eafc3cb76b69359c7808a1e42d9d9d1e5af9a06b541a54f74ff98e53c25c585ab3db464ee67a8b23d40e9df372753125cffb506d39d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57ef464794eec95e2ee298e09ae76baa6
SHA17a8e2ae4c904384607d8b72a40c6a17332f24e03
SHA256c5f36f07e38477f85782406b92cf46c4d3aeddb935f1190435cfe8598f8af9d1
SHA5127dbf75728bb3b022a2ac0847a5686d6002fd064415c82d301f4f14d7addeae3a70083cdd59a7779bb16b5077033fb67bce1f9e5d99738450c2c598d0b8de1603
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD5f6e830ee1c3c5f177f2d3f712bc5e9f6
SHA1d4cf51f05722bcb3a3816d69e8384315f6a01089
SHA2569f63ed19679cc7d567940f9e7351a0fd920920c2bda0216a04ea0b6a2617ab41
SHA512e5c45301af20256e8feea772fec8e070f561a33196d9f471a26eea4c78422b0bdb421e720817d67408903a0ec3aacd39b0a2c969dd2e41a5dd55fe28a3b2e0c6