Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 19:40
Behavioral task
behavioral1
Sample
17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc
-
Size
205KB
-
MD5
17482c53582c2093927395e6f61e41c3
-
SHA1
7bade5fbc0e7306aff6824bea0cacbcc1c239f1a
-
SHA256
4e2eda69d87762822766a967624828c70886cac260d62f9de34352347bbf15c1
-
SHA512
3e925bd44cf7ee54fc2b37df7ad7cfab303975d7abc887fcd630aa63fb7cc68958e78e6e058da9cfd0905206a13d71d36dbf583d51a66f79bf7850e220c5a60b
-
SSDEEP
1536:VtPrT8wrLT0NeXxz1DweVHrTPDyN5J8b29rSp1GZrcmO/FEE7Ax65+7Eyki:V2w3keXxz1Df1gJ88rcmOWm3503ki
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
EXCEL.EXEEXCEL.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 968 WINWORD.EXE 968 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 1688 EXCEL.EXE Token: SeAuditPrivilege 532 EXCEL.EXE Token: SeAuditPrivilege 60 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 968 WINWORD.EXE 968 WINWORD.EXE 968 WINWORD.EXE 968 WINWORD.EXE 968 WINWORD.EXE 968 WINWORD.EXE 968 WINWORD.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 532 EXCEL.EXE 532 EXCEL.EXE 532 EXCEL.EXE 532 EXCEL.EXE 60 EXCEL.EXE 60 EXCEL.EXE 60 EXCEL.EXE 60 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17482c53582c2093927395e6f61e41c3_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:968
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1540
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:532
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:60
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5ad16c4fe3416ea9db31dc0e8e1f61075
SHA1875a15e98223c377b49e4bd6f761eff730ae3773
SHA256f1984f7bac9e2d827ffe7cdeb18e109e24426e149c55160870234e8243972960
SHA512d03a7bdbfe5ae4c967222fe163706e1b42cc23cafd05523c19247131c20ea13d44a2caf8f48b5cccd7beea725fb26e57141d8fd2cf503e4d9ae8a0a903fb02d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5c62145a60a84c1a5910cfdef3b1633fe
SHA1a43ac22c51ee69b7f368e3021a368ef5b8da7d65
SHA256c8a2f737704996f0bc4fa57445fc6a4d06aa27179238e5a45f51a60800f51021
SHA512f45e0911bea968a95e8563534c238d131473e6d5a30cedf97d5bf2d211e727643f90c67cbcaf53150c1bb0aa6a32f0c1a66a61458065a5cee658044438ac0fb2
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5d83bda8554356d68391d157af68a7d9c
SHA175598f653fae6352d205fe6e7fadeae1045c0ad5
SHA256446e0196e52597c7c70accd4f4e63fc1f3bc3ab2fb64fc5e25a3ba40075d98ff
SHA5128ae310b56cf706a1eac290d8ccfcbe48c134fe5832e141d30c72f70c33d973ec101d9566db2a087789d365a2786a5f67ed1341e03bdd45450b6990714ea8dc48
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A2D1B4D4-C107-47BF-B92D-8AE6E2BFD02F
Filesize168KB
MD5a96089a752b23288766bac8bbf88436c
SHA14c7484555177c844289fd10c4f83198435904a98
SHA2566aca428c19277ca2ac5c28a594c73b3c21120360f77d6fe42b0171be2201d46b
SHA512e3ba0ce6f6c4e79ab1ffa0a2037dbe7be219076bc093aab2d8be8d5844a6045ca91a352f51be3a698baa5b3d78c0e67e5f976411e6f29cb8974109608ffde238
-
Filesize
321KB
MD5edc5bbd89d21bff468e2b1bc6a6cad11
SHA1b5a3588cc1c3274357eefae826f9de1876e4def4
SHA2567c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA51257c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4
-
Filesize
332KB
MD5874e05073239ce46fb73138f72a0b502
SHA16c5cfb40cc141c26048fd1c06986983e21db47b0
SHA25618200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA5124650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58
-
Filesize
19KB
MD55b5cc39dd83ae1eba783d5319a86aab3
SHA1608be1cc9a46448a838348864ccddcabc40db167
SHA256efc56d37d2286928f541f7e286cc00c781a64117278746680401b21c98c3679f
SHA5121fc31f58c3beb6a22bff2add81ccf6a9bfafeb86210b3db7baaadc012f983de32c866bd536b1f5a6ce73b3671176cb0e64af0208d88331c6c3698a483f14e171
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
4KB
MD532262384afde857998beae65bb59101c
SHA1c2f0c2617fd2510d6a6f5c94d4f0ef11d5870ef4
SHA2562295cc4f66abbdc09dce6748a22ebc01cdff05199c169e30cfac71a64a6247b7
SHA5128231318891edf60163425962b9cae0b7567afd46e6cb0f4e1914fd615ca0f14bc9d2efacd55408be35d293b8a3780dacd28b5f40c5a8d15276b4f0a56cbab626
-
Filesize
8KB
MD51be8692b26261f394cb9502544caa816
SHA1006f76e7c4726d22ce4a871437d2992de74f67bf
SHA25625956b6035e60f3e543ca2945f71dd8bec69083beb5a960d45aa6cc8d96d01b8
SHA5126b7ffea413e602fddc90c1230c39d28c2252a4db720c4c0139d1444fa063a44373ab52c24d0b1ec4dbf5e3cf0915d5ce1e8957167aeb7a5a85e9d27263582fd3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5b958165caef0e52954e755c0c04eab6a
SHA12a8b601fe69c2d18b0f113af10fc59080bd16236
SHA256e72f8ac5501134dd31b0248280b436c71e56564e9cfbdcc119e3f41529de4973
SHA512c6375caf65238196848f761db7ce58e2bb15f1159c337e506e684d7221bd9075494f316ee4600e5bb328ee6bb18b6f42fb8a042495150bfbe23519c547780307
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5f0f0613f8021e44a3b6752dc144839c0
SHA18a61d4689bcbc3654a3952c49d58ead92e8553b1
SHA2561decc1fce682d25fc017591ea60c2d4fc56ecb190a1a03fd9edf2066218a43aa
SHA512e901a2246c630f9aeea95b19419e813083686e13b13a2ff24f795f3111b41b21d3f4659851ad5250a9153c9f3e554047e9652569d6dcedb4fae94785f64e87e6
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD5ede292a5cf7b183131752f61801928b8
SHA18ac615c7bf7841b743e3c0dff82c16a86e8e8b12
SHA256d3d6eb175a48c93f920707499cb689bdbc25676c608ec67d9ca18b7cce255144
SHA512f3099729122d5744b820f1d1f5520709f95b3571bb0b8be089546418fb2bb5ed6114b9752579470bfe4d37633142aab52c740553ba2b9be3ea03e2258b57e1b6