Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 15:55
Behavioral task
behavioral1
Sample
169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc
-
Size
204KB
-
MD5
169b39fccbbc5cfa145e0c430f455609
-
SHA1
2e99f48e1d5d375c824daede50b1c4b993f5a5fb
-
SHA256
955b510462e4733b2edb7ccb6ad15fb8e2f5590dcd9e691a519631b63b5fe48c
-
SHA512
a5101d7c4632a6e9a967bd32c5d7339a1cfdda8ae6d5165f1d2aa38ad34ed5b2701605074459bee44f2d288aef85fd470a737ddc6b226e787b9eb8fd361602a5
-
SSDEEP
1536:gxK/jtPrT8wrLT0NeXxz1DwerHrTPXyZ5J8br1cgSe02gNt2r2XwvkwpYu:v2w3keXxz1DffYwcgjrvP
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4616 WINWORD.EXE 4616 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 5916 EXCEL.EXE Token: SeAuditPrivilege 1484 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 4616 WINWORD.EXE 4616 WINWORD.EXE 4616 WINWORD.EXE 4616 WINWORD.EXE 4616 WINWORD.EXE 4616 WINWORD.EXE 4616 WINWORD.EXE 5916 EXCEL.EXE 5916 EXCEL.EXE 5916 EXCEL.EXE 5916 EXCEL.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 5660 WINWORD.EXE 1484 EXCEL.EXE 1484 EXCEL.EXE 1484 EXCEL.EXE 1484 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\169b39fccbbc5cfa145e0c430f455609_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4616
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5916
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5660
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5ad16c4fe3416ea9db31dc0e8e1f61075
SHA1875a15e98223c377b49e4bd6f761eff730ae3773
SHA256f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5ca2d563291396b433a5eb6ab508eb395
SHA1d70ebd8b890b20e744fee6628fdc7debbfbe66ba
SHA2561331b80fc1338b8ad7b3774bb4dd33edd7ca0102066bddbbd6ab7c99f8666732
SHA512d7d236a0919fef9bb11c196d0e1e865b3d2a98143d70df8104e901ebe4a6abbede80e06350949df2ad6ccfc213e48de9ae939829ae976ea798ec93b36cc1c041
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5102808a601883eefac7152d3345d9c90
SHA14ba93d4b9e0fcded8017c80524ebb93baaeef7c4
SHA256dcdde51cede020f8b66100c661e34b53975af1ca98e0b113b2de9db74d637b90
SHA51203562f7aae95ee3e84ca3f3710e84f0dea74cd578d9f2052fa8c52b6b721ae133386c76492b81ed948ddc0b61d3fbe9f95ae33ec03f9f678f3b2b9728f6368ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5d51c35918cc84c1410a1302e8ae913cc
SHA1b705d18497e1091cc281bde05aaf3a072c9aafbc
SHA2560a01ffc1ab22e69ac45fc456ee7588aa246f1b7299eb777f62c7a7634fc2d505
SHA51230c47fe42926572cbe119db84afe322233d83487550f8268b9dfd39d5caf2b09db4f054b0ef6f56274f1e80c1d104658c6d768f1d3b74bd48716d7be3a8b632d
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD572eee94ad6184f605a9da198c8129927
SHA1fc995d5b871a124a9c24c28d12564318fa8f223d
SHA256952fcec3e8faed84d473b42eda229315ee306be25d6c02c9e3898ac8127800b0
SHA512800dc699e0b870a10aba4ab036fc0137058e6c9b318e5d7c49995f323c105d057c10d3aa47b38eece8eea3a3c8a88dbc7328dcb642889300f9727b97c9811cd2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F91C6146-67C1-4B9A-BBCD-4A53001D5071
Filesize168KB
MD52e8b589641308ebd91ea1691c13af11c
SHA15baaa6090fef707c1f869a56b8434d3f2942a7fb
SHA256ac3ddfd5e3dd6bd41ec17473e09919055f3b9e5da0fb89b582a3476e7a80ae17
SHA5122565ac1291e61ce8e7a5bc4bee7f8c906ef702cd32c8f4c84b0323fc44ec8f4db45090ce7b049e486255dc6c87b5c74ad163c9825a8f8c72fbd6871148eed988
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
332KB
MD5874e05073239ce46fb73138f72a0b502
SHA16c5cfb40cc141c26048fd1c06986983e21db47b0
SHA25618200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA5124650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58
-
Filesize
19KB
MD5305ff84698453b8ffb97d9bb2dda83e2
SHA18261a1f274964a0a110bd7c9073f3e362b8358e7
SHA25685fc87abb18ff5758cd18a24f6b53ef95fbd677e42683b6245126fe4fb614a40
SHA512d1fa3de15db629d0de3143a5b0ff589a027f6ec67c3515509aae0ae7a965a21b8243be8bb6f99e2cba37242336492cf7230972551fde8cdae41d6bfc18152c09
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
8KB
MD5bb29dabbbcf554ce9efc31dda5d137d9
SHA1f479a356641d8de137b17711ef023f6a13e78efd
SHA2561d2dd51ca850ba15b8d66270ed741e12f80355c97a1e1ebdd6d0ad2ee606af14
SHA512602bdf08aaa883d6bbd6cbde1299a371209da043f5098d14f36c4721c5dbb908b56bdf06e45f936b44b3dc11f4ef171481119d7bbde9bee301b2f5e7a5705ba8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD50a3cfff4266b5c144389b65fa35237f0
SHA17d9f9b03ac184686374883f4a39ffc707c347467
SHA25643910470a09a1984386304b7f5091e0c375599c1bbf0881a8ec6bb3f70012f48
SHA51252352a12e7a6c7cf5c06994923b8bd5caa897cd9dff214e3dcc91b6d8dc3858f914aa6f750490c70d5bda7dcd98621200ff5d7b29922367fda4bee2154fcb720
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5a43f0710855def727d4fd37b0b280491
SHA18ee92cee5e6e6ee0a9c376e907dc8fc02b405865
SHA256883c9b621feae5ab6114086a19b3f8bfd4ae80e9a85de5b9d425fd705d6af46b
SHA5127a0ece09cb4421f535ee90dea1731ccfd02af9291d16168cc818de289d6a702b555110e8307ea4ea4eed00ef9d6ea4a91e31b9e4fcf50a3444740a72bfc5aea2
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
148KB
MD53f8b745a5015bb95ff2b8ee21ea2efa9
SHA1a890b40fe2b419aaa97b531cb9d4428407d771bc
SHA25616c646307bda64f032573f441015a584ec62a0f121c1b64670fb05cee493defd
SHA5126d8a1afadd00539c1a1c9e5296e9e4ceacaeab8c0f6059c20d6013cd463a302a8e55c7cf7bed2366956be35178e5a57af668e389063cb69fa6b628315b788f19