Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 21:03
Behavioral task
behavioral1
Sample
1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc
-
Size
235KB
-
MD5
1784ba1e021937eaee4666d9d93cc8f1
-
SHA1
3441dbf00c543055596b857baf7ad3f00f99d6e1
-
SHA256
0fa4e5bb42cb1e3153a997f8f097aa4154fbb0113d3ec08764a62cf059778fb7
-
SHA512
5019ca8a498e10750d7c444a67d5c1f225675b601535fab0e00a052a581c2b17197e9cdcd2a21d9d41de68ed91b9e3f04a846327719518dceec3a1e9257fd76f
-
SSDEEP
1536:7terihwjEu5s1mermyzrKXhbsjHrTPxysK/dRYmKOBC/6BpBBtr0VufRKb:7/wjd5s1mermyHKxcudSLs28fRM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
EXCEL.EXEEXCEL.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 416 WINWORD.EXE 416 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 1280 EXCEL.EXE Token: SeAuditPrivilege 4068 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEpid process 416 WINWORD.EXE 416 WINWORD.EXE 416 WINWORD.EXE 416 WINWORD.EXE 416 WINWORD.EXE 416 WINWORD.EXE 416 WINWORD.EXE 1280 EXCEL.EXE 1280 EXCEL.EXE 1280 EXCEL.EXE 1280 EXCEL.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1784ba1e021937eaee4666d9d93cc8f1_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:81⤵PID:1996
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1280
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1784
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f479fc73fa1be80384599b9c7cb0dc2a
SHA1a01cc9c3085eec8ed08881dc401e6429166254e4
SHA256354aefd66c10c97457bbd4839ed13bba891d545bef04b7e6a2330e8d653668bc
SHA51296721444174117a272b59179d3774144d4c4d78f6493d37afda9489ac1644aef91908c8bd1f00b27b78cd4a2d69abb64320286d8bfd897324e95feaab5c3d56d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD525aec7e4c635c4c83093684dc283a6f5
SHA166f66e3d9e7ed5a0b4a6bfae880a4e477bd67f4c
SHA256c70e05b87788266b50a24eb28ff8add3034c13e8ca0ffdec67f88b5c805220e2
SHA512f3dfacce3d29d0c66931fa5af723853d3aefbaee1e09c2eea2959ed1ce3babd326c2b9d065ae799a37484e3ae93a9cd3da117347128d108a1f3dcf5c35bcea51
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD53e6bd5f4a94faa71cf4ab2c6a2542ad0
SHA1fdb263164ffbed7013326c09b781651e22284552
SHA2563b84488738fd85cff9e0570fa6dda43a0ae6f68c27ba45a099d1cab12d0a8654
SHA5125724dba302f5bde620d63a3b0ce6b9d186e2583b40504f8ca0561878eda186c468603f046176d9b77f6f652bc2aac9a5e5f0b5f93ef9f02be7a8f61fd17247cc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC1F3C5E-B5BC-416D-BFD1-CDD62E0A3A97
Filesize168KB
MD5c4887248512c6c272c7a7bc82a0d4fea
SHA1fd591205b16900f846cfd86655564305bb5e9905
SHA256993965a8b62a4faa4932fd61b09e0955dbd79394e78346ae0a0549583c4c8ba0
SHA51274b5b2f9b8044a991db71b07c1e5e4e35d7fbaa7b865eeb1ccbd8e37cdf45b9244ec34a067592ba92258e22b9d190f2ccf0c7f74fe5b5f02a732a2285412de97
-
Filesize
321KB
MD5edc5bbd89d21bff468e2b1bc6a6cad11
SHA1b5a3588cc1c3274357eefae826f9de1876e4def4
SHA2567c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA51257c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
21KB
MD5acf767a380dc7500b4b476de79637c67
SHA1b939250eee7ff174f48afec42de6c6cd8a59a9ed
SHA256654c507a0ac3504290d3fd96c001194ba595965122307efcf94145d50ec89992
SHA512c55080cc815a027d95f9546b2a64870975a0c9e3cee58d67c7d841b9131e2aa6bb25d81f54cd94395278b2bb4c05b834c7dc5f63fb5213061018169752c6faf4
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
8KB
MD5c788866329f59092624cede2e9b3e72e
SHA1330e274fa26d9b22c4e80623e75101c2ce4ff858
SHA25668476f7b2f95e52ef3843f981095aba2d45d399d7033888b1f759b530ca9489c
SHA512e440d928a5599c3298427ada1a435b50c0ce9d67fdca35872b797c69dae01bcc658b529f4bba9b6126071ea458eb67cb7121cc4cd6338cc6f056fe5ccdea4dfd
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD564d83d36f22c94ae99e4f6eeb0f0d193
SHA13894b191e8ba04c02b8682f419fa33600628e7bd
SHA2560c92e1f0176edf0cdd2757de6956035727f099b42c4330def00699ed8e69e191
SHA51255bcb6668095cdf8d1d3d0325942905c579886673af8056379d1f2807db5d36aabcd5c31d8942e23f70cc7a7551dee3a117f19765efb42db5c1aaad6b83b155b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD59f6e10520512afc67e20e690ffd35551
SHA15bd15d28a9783da7b913dd89ce6002a5a9da33c6
SHA25660895d8743cd748b9d764f2a130af3ebd0082a864c61028ac7bda08ed7096589
SHA5121ed09285662791cfb7463c4616dac75710224f43506cdb7b82d720026a2b7b7a9e6b6b8a30e286e1c2d0c2e5d0131f563cdfcd1f98245a933f7a805335653379
-
Filesize
148KB
MD577f47c423bfefef152592b80c16ddae2
SHA16f97219fcbf2505ee68df9a2e60106c84f5e5fe8
SHA2563bdae258ab75b6a643fe8dabec49207e216991b4932c09acf2379263c166b09b
SHA512be177fafaca355c89ecb317da4d31407ab246416c9169618ad64289ed9902df71058bce61848aea777f3dc55e3d95a37df964efd6fd81c723da8d03e85dc1c8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84