Analysis
-
max time kernel
137s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 09:44
Behavioral task
behavioral1
Sample
21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc
-
Size
241KB
-
MD5
21e78c10e726ef8daf7edf2b32af25ae
-
SHA1
10b93f75ceb4b6d2682b7e43048977ef14145832
-
SHA256
8db366d3ef9b2c7b52bb949935f6ed9ac8a7c0d45e19f604c1ceb15eb08cc3fb
-
SHA512
8908591a92fd54a341ca23d8817955a5bae4aadc1ac7d28a74a25580fd91d18b71789dc7896a794de73c4d5476cbac6506c523a4e79e1e3827b1161f441d9c2e
-
SSDEEP
1536:CterTkw9HnXPJguq73/IKB5Kby0gBjHrTPRyMK/dRYC0HPQzD2x+n/KwUFkmT:Cvw9HXPJguq73/IKBWyPidS98D2x+Sw2
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
EXCEL.EXEEXCEL.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4108 WINWORD.EXE 4108 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeAuditPrivilege 3684 EXCEL.EXE Token: SeAuditPrivilege 5008 EXCEL.EXE Token: SeAuditPrivilege 4936 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 4108 WINWORD.EXE 4108 WINWORD.EXE 4108 WINWORD.EXE 4108 WINWORD.EXE 4108 WINWORD.EXE 4108 WINWORD.EXE 4108 WINWORD.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 3684 EXCEL.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 2440 WINWORD.EXE 5008 EXCEL.EXE 5008 EXCEL.EXE 5008 EXCEL.EXE 5008 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\21e78c10e726ef8daf7edf2b32af25ae_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4108
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2440
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5008
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD591ed101bbfe97bb6f2f37eb6b575e90a
SHA1e76b98797d9df927ada6cca6c5af7d1bd3cc0257
SHA2564c1cd8ace8fd4391909f5326abe227a5ca137a7d410293991071578b2da78b9b
SHA5129cb2b678c3e4d91d2acb1d260a3afeef99f1d037848133f4c52d313214891c389c1a62d1f669b669ade1e3c7a26ce40948858c802848e3bd1216895f9ceeab51
-
Filesize
128B
MD593613f092b43447e50c65482aaa83cc0
SHA1cc159612a0a4f7406cb9454beac572821a62e725
SHA2567af07a3503b5c736e99c982e468b2c42a90b8f8eb990f00ff17f45f76a9ec427
SHA512193043f2968c2ef0b62427e77306873c20ab270409bf37adc758f4b770d1908584ef9b48f07d0c0804e042a764e4c2ce644935e3ac855d41b264257af35ff023
-
Filesize
21KB
MD56815d4176687816748e1348eae84b2b4
SHA1a58d19f6dbb3799f63fb67bc86b6f6ac7b1e86ef
SHA256266b4bca1b44f3e4eadf34e8ec3826ecf2484395af4bb16a5d253af6452f33e5
SHA51242c50ca1a7c7746f623cae12bdc131fce516e63bdd8dd26ef32a094fe552b60199275d4d44af62b0fc54c20e6883929c4ff117dc00c8365ce40054a74dbebc95
-
Filesize
88KB
MD59ce81730874d754d3103a324ae2b2613
SHA16011283b5805f46dbee66bbbd014d2973c6afd56
SHA2563144a0dedefc037eaa0d5a70c027741ea7402ab6ee80c617c84b59874be54c73
SHA5129e123e4d9d180f4a62f49c5823ea524de5f50a896596ad41fa95fc116f2a3eca8043b2ddf86a405a64904f9623f70c06d30dd5f9bf10c0101a5e7823735b062c
-
Filesize
8KB
MD517ce632facb4198776274574714106ad
SHA1f71c85b7347679199426bac21669a4b1eee9400f
SHA25669c1831dedd88c0beda3ca6acd8b5875efebe583b6fb60eec8e5fc716152372b
SHA5123a4f59d520364a9a7829d7d3d82f2bfb5cffbb54079ac167c1605732325685a571f8821c190501d4a54069199696cc05efc411bb50d0d659f1c925eb467cf5b1
-
Filesize
547KB
MD543690fb6af1fb2a7f4facae677c7d6c0
SHA17a7ad0bcbd21f7b01ce80d56d2aa9c447b8942ce
SHA256afe20a4d4fad1f21dae19cebd0ae8361bea5012295d3c9e868d15d3e4166dfd2
SHA51209a8dd517039853243b81abfefe20841e660e516eda8d1282ce826ed3cc6219ac4be8639039597174e3d3e98d99bcc253c052add1d742f258f18962a2de18563
-
Filesize
8KB
MD54464f71a24f18dcc841c33a84fd88acc
SHA1908ff7deea5b4f7e8915fd291cf18ffa804a0a21
SHA2564167a8fa0688b2a60b7902472b01cbaea1bab806a5be397f57fde30db3f3beb0
SHA512f3c9bbb96daeabcb642af8698ab829c8b6bb4305b93a055f41dc6490fa9169dee69f353695ecdeb27c3afc6124f2378dcc186a601c8a4ab305cf7ab54bcb1437
-
Filesize
148KB
MD5c66ce6097b217799943a6c58c8809192
SHA14864c04fa4134dd15fd5ecba33d12b09081367a5
SHA256fd2da6ddb8ed6ccaaf29764f39f8811a96485916af8cd9675e5625673f24a940
SHA51241147daf848368a8b6d5db47b72e781ad4c273b7b6ff1d6b537329b0f7074b3036645baac15ca72bc542736b87b99218b64f402ee38840fd948b391ec2fb70cf