Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 07:00
Behavioral task
behavioral1
Sample
2177bbbd805438115f2dce2acd6897d6_JaffaCakes118.doc
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2177bbbd805438115f2dce2acd6897d6_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
2177bbbd805438115f2dce2acd6897d6_JaffaCakes118.doc
-
Size
42KB
-
MD5
2177bbbd805438115f2dce2acd6897d6
-
SHA1
ab4f71eade4b8110f31634502606d892962b5e0e
-
SHA256
09a29e54526991d0d2cf0b2f12c4e63e967e86cbd50ebd5d07ef89f81adca5ce
-
SHA512
8f2c908af6d7565ba3934b9ad3a15ba22649c645a7409dad24bbb67c01dd234c3a7387527f23bed5b83dd9d455f13d93139ac62a893cbee72e7628a56e1863b9
-
SSDEEP
384:saStQ57dxbnprVnTh4rxQ9s8e16E3KiCn0pF3R0RR146XJVPgujZAt3wxar:9LhVnEC0C146XR8
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp office_macro_on_action -
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 1612 WINWORD.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\ShellNew\ WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Windows\Winstart.bat WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWinword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
Winword.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWinword.exepid process 1612 WINWORD.EXE 1612 WINWORD.EXE 3112 Winword.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
WINWORD.EXEWinword.exepid process 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 3112 Winword.exe 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE 1612 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1612 wrote to memory of 3112 1612 WINWORD.EXE Winword.exe PID 1612 wrote to memory of 3112 1612 WINWORD.EXE Winword.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2177bbbd805438115f2dce2acd6897d6_JaffaCakes118.doc" /o ""1⤵
- Deletes itself
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Program Files\Microsoft Office\Root\Office16\Winword.exe"C:\Program Files\Microsoft Office\Root\Office16\Winword.exe" C:\Windows\ShellNew\2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
20KB
MD5e3b5f5180b6797a8cd17d91b927078d7
SHA1570b9a2fc9a84de1f6fe9581e2d8a9b8f1fddd91
SHA25697006e5ddfce548612a81ac5117325266dd539bc6b655a298e49c5cc1d6854f3
SHA51224be49a547c6b14bf1bba2c2961497c1286e679a65a28d9a6c6e74dfc33b983992eb5d87d62cb236b88c0026ccf4a1b6ec2989b2b8bccc4ca5434843c92d8885
-
Filesize
583KB
MD58db2676298da3982d194361c00488df7
SHA136b5820344b8ee852c0c82816cc0a383ab873551
SHA25632fa70b2d64be3b0188ac16592a56ab31201e88c486034b3360a8049afa87fc5
SHA5123e69d0e1fcfbbcccc91fa53e10b5a697f6d96c03b58b40aeb10fc002bad6305797d6ec139e6dbc118fd2c3ee7a98935866bd8083db07a510e78f925fa26c9a3a
-
Filesize
4KB
MD564ef758fb6728c63388e23698aa83ade
SHA13cd1af579320a012e1a352e81455310f305728e4
SHA256f5ebeac2c145bc274cb050fbf4f9435329f3c83b1cc022be28196ec2bba13cd4
SHA512c2ec808e1bd2090e3830c86866730a04128742f1a6069754705994f1a37f55f168240a6bb046ae71b0ed66d6c09d5dc719d0f828fb0415cad8e140347025ba87
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD54e4bce845707073c450a860dda938079
SHA1a0549cee267483420b182908cb8fab7fe227f73f
SHA256b95f06bfcd5a7ff3580f8f870e573cbb690ee5115197bee80558b4852ba19740
SHA512de9d1b9db44090cd886332067d75c87a5c07adb95721a0972fd55ade20325dca58929970d59fcc3c2a659d79ef742773d56e40bb9bb966b3e08476534062a203
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5a029528c7e1ef2f8c15fceccea8b4876
SHA1e688045ac1070d3bb55bc41862aab435ace2544d
SHA2564b16f53f7e3ddf72fc99ccc0bf9b1eb6fa0615b95f5e9bdc2d515732b13000c4
SHA512c9c35041997b0ac6e69a05a2e46fa88541174dc7f896930db7151b8aa773ea2e4e73d477d1a62677b8b55b8f581578885524fe5c04c136094efd5856d96f0825
-
Filesize
49KB
MD5735987e71db88832611a74cd01320ee4
SHA158f1d8441e33b9158abe468e51881f238def1449
SHA2566d9d3098503316b76ef89d690556110206bebf87e3b7492af5c652e70032d1fa
SHA512ee5a93176791b995b0d56abc2f179b048b871ea4b567532bf0a3d48ab754c69a71637376ea60a1a50fd8bf34d497d771e1b5086d4b2b21be366acf56eb2b327b
-
Filesize
25KB
MD55236b971bf518f3c0d1e4163e7733372
SHA1a02aface7fb5d0f0f2f8df843b86931f46746be7
SHA256d3cf3eefd6f8a8d4be67e8781758722bfb12133ce3c08a8d1e39b5fa2951794c
SHA5127ee045ca923fb963367b2a202eefa5e79696a4d1e8b72965e2005c6d91d40cdc866da22573510151edd974107a9f04f24dad11b83350035d8ae2b86c44e118f4