Analysis

  • max time kernel
    137s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 09:44

General

  • Target

    21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    21e78c10e726ef8daf7edf2b32af25ae

  • SHA1

    10b93f75ceb4b6d2682b7e43048977ef14145832

  • SHA256

    8db366d3ef9b2c7b52bb949935f6ed9ac8a7c0d45e19f604c1ceb15eb08cc3fb

  • SHA512

    8908591a92fd54a341ca23d8817955a5bae4aadc1ac7d28a74a25580fd91d18b71789dc7896a794de73c4d5476cbac6506c523a4e79e1e3827b1161f441d9c2e

  • SSDEEP

    1536:CterTkw9HnXPJguq73/IKB5Kby0gBjHrTPRyMK/dRYC0HPQzD2x+n/KwUFkmT:Cvw9HXPJguq73/IKBWyPidS98D2x+Sw2

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4108
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3684
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2440
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5008
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

    Filesize

    21B

    MD5

    f1b59332b953b3c99b3c95a44249c0d2

    SHA1

    1b16a2ca32bf8481e18ff8b7365229b598908991

    SHA256

    138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

    SHA512

    3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

    Filesize

    417B

    MD5

    c56ff60fbd601e84edd5a0ff1010d584

    SHA1

    342abb130dabeacde1d8ced806d67a3aef00a749

    SHA256

    200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

    SHA512

    acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

    Filesize

    87B

    MD5

    e4e83f8123e9740b8aa3c3dfa77c1c04

    SHA1

    5281eae96efde7b0e16a1d977f005f0d3bd7aad0

    SHA256

    6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

    SHA512

    bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

    Filesize

    14B

    MD5

    6ca4960355e4951c72aa5f6364e459d5

    SHA1

    2fd90b4ec32804dff7a41b6e63c8b0a40b592113

    SHA256

    88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

    SHA512

    8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

    Filesize

    512KB

    MD5

    91ed101bbfe97bb6f2f37eb6b575e90a

    SHA1

    e76b98797d9df927ada6cca6c5af7d1bd3cc0257

    SHA256

    4c1cd8ace8fd4391909f5326abe227a5ca137a7d410293991071578b2da78b9b

    SHA512

    9cb2b678c3e4d91d2acb1d260a3afeef99f1d037848133f4c52d313214891c389c1a62d1f669b669ade1e3c7a26ce40948858c802848e3bd1216895f9ceeab51

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

    Filesize

    128B

    MD5

    93613f092b43447e50c65482aaa83cc0

    SHA1

    cc159612a0a4f7406cb9454beac572821a62e725

    SHA256

    7af07a3503b5c736e99c982e468b2c42a90b8f8eb990f00ff17f45f76a9ec427

    SHA512

    193043f2968c2ef0b62427e77306873c20ab270409bf37adc758f4b770d1908584ef9b48f07d0c0804e042a764e4c2ce644935e3ac855d41b264257af35ff023

  • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

    Filesize

    21KB

    MD5

    6815d4176687816748e1348eae84b2b4

    SHA1

    a58d19f6dbb3799f63fb67bc86b6f6ac7b1e86ef

    SHA256

    266b4bca1b44f3e4eadf34e8ec3826ecf2484395af4bb16a5d253af6452f33e5

    SHA512

    42c50ca1a7c7746f623cae12bdc131fce516e63bdd8dd26ef32a094fe552b60199275d4d44af62b0fc54c20e6883929c4ff117dc00c8365ce40054a74dbebc95

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

    Filesize

    88KB

    MD5

    9ce81730874d754d3103a324ae2b2613

    SHA1

    6011283b5805f46dbee66bbbd014d2973c6afd56

    SHA256

    3144a0dedefc037eaa0d5a70c027741ea7402ab6ee80c617c84b59874be54c73

    SHA512

    9e123e4d9d180f4a62f49c5823ea524de5f50a896596ad41fa95fc116f2a3eca8043b2ddf86a405a64904f9623f70c06d30dd5f9bf10c0101a5e7823735b062c

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

    Filesize

    8KB

    MD5

    17ce632facb4198776274574714106ad

    SHA1

    f71c85b7347679199426bac21669a4b1eee9400f

    SHA256

    69c1831dedd88c0beda3ca6acd8b5875efebe583b6fb60eec8e5fc716152372b

    SHA512

    3a4f59d520364a9a7829d7d3d82f2bfb5cffbb54079ac167c1605732325685a571f8821c190501d4a54069199696cc05efc411bb50d0d659f1c925eb467cf5b1

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

    Filesize

    547KB

    MD5

    43690fb6af1fb2a7f4facae677c7d6c0

    SHA1

    7a7ad0bcbd21f7b01ce80d56d2aa9c447b8942ce

    SHA256

    afe20a4d4fad1f21dae19cebd0ae8361bea5012295d3c9e868d15d3e4166dfd2

    SHA512

    09a8dd517039853243b81abfefe20841e660e516eda8d1282ce826ed3cc6219ac4be8639039597174e3d3e98d99bcc253c052add1d742f258f18962a2de18563

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

    Filesize

    8KB

    MD5

    4464f71a24f18dcc841c33a84fd88acc

    SHA1

    908ff7deea5b4f7e8915fd291cf18ffa804a0a21

    SHA256

    4167a8fa0688b2a60b7902472b01cbaea1bab806a5be397f57fde30db3f3beb0

    SHA512

    f3c9bbb96daeabcb642af8698ab829c8b6bb4305b93a055f41dc6490fa9169dee69f353695ecdeb27c3afc6124f2378dcc186a601c8a4ab305cf7ab54bcb1437

  • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

    Filesize

    148KB

    MD5

    c66ce6097b217799943a6c58c8809192

    SHA1

    4864c04fa4134dd15fd5ecba33d12b09081367a5

    SHA256

    fd2da6ddb8ed6ccaaf29764f39f8811a96485916af8cd9675e5625673f24a940

    SHA512

    41147daf848368a8b6d5db47b72e781ad4c273b7b6ff1d6b537329b0f7074b3036645baac15ca72bc542736b87b99218b64f402ee38840fd948b391ec2fb70cf

  • memory/3684-1278-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/3684-1280-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/3684-1281-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/3684-1282-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/4108-11-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-10-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-17-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-28-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-81-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-16-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-13-0x00007FFBE6AC0000-0x00007FFBE6AD0000-memory.dmp

    Filesize

    64KB

  • memory/4108-14-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-15-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-8-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-12-0x00007FFBE6AC0000-0x00007FFBE6AD0000-memory.dmp

    Filesize

    64KB

  • memory/4108-18-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-1358-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-0-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/4108-9-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-6-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-7-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp

    Filesize

    2.0MB

  • memory/4108-5-0x00007FFC28F0D000-0x00007FFC28F0E000-memory.dmp

    Filesize

    4KB

  • memory/4108-1-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/4108-4-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/4108-3-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB

  • memory/4108-2-0x00007FFBE8EF0000-0x00007FFBE8F00000-memory.dmp

    Filesize

    64KB