Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 18:11
Behavioral task
behavioral1
Sample
234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc
-
Size
242KB
-
MD5
234bcef84d766cb8bf8c6d78e013fc6f
-
SHA1
05843a0d9a6a6a01ced6f06e97ce7c69bb6bde3a
-
SHA256
602ddd6d104ab13eceae1f1459862094c8740308bf08f060d51fece37b63612e
-
SHA512
b214aed42a46d1e5b5fc7af4a952b281f9820dd858639340e74c17e3fc4d40c886d385f3cb9e53e2b50c12077110543a82d684aa92522d88ad5bbc6457739dd2
-
SSDEEP
3072:rvw9HXPJguq73/IKBWydAdS1zzKpiyclq:rvKHXPJi73wAcU1K8nlq
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3560 WINWORD.EXE 3560 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeAuditPrivilege 1196 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 3560 WINWORD.EXE 3560 WINWORD.EXE 3560 WINWORD.EXE 3560 WINWORD.EXE 3560 WINWORD.EXE 3560 WINWORD.EXE 3560 WINWORD.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\234bcef84d766cb8bf8c6d78e013fc6f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3560
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8E9C46C3-9BB0-417F-9B87-C7CF3C2772DC
Filesize168KB
MD513fbaa478aaafb9d0343a5e626626b3f
SHA1a1c90d0f6bc0c76d76dd971dccccac2297159979
SHA256f21b45ae14dbbcd510bcb20c44ce072e7d4b01a8ad0b5851c96b9406f73fa9e7
SHA5126db677df4eb7ad049ce96cdb2df7f38876a0264cfdc952faa42933c67f63a04e393279841508b7ce48135a9389c8833fbd78d6a1b8bf259a1b1e84228c8c0d70
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5185eb9ba626e220d582bfc9790a28f72
SHA104f156f76b552c3cb0bc7ceec50539670cc60634
SHA2561d01af3fa89099128c2191d5a5db8cb86387248e1ec0e3436a806351180cd618
SHA512c160fb5edcf014dfeb9789db09353420a93926afbd0239e61926e20279bc27b00cce0ef1fa54be5d016b1ada922eaa249c08ee270fd0c4d569dbe27198142dbe
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5358605abb5547989bf109fd8686b6171
SHA16154e99ad5eb0d50e612d1257a9978924f3ae82e
SHA25625ca6451c9504fee5e8115a96058a7c54e57cee5f3e8014edfd0911ca372ed73
SHA5126edad46a9fd09ebf942db085f9e5c7050b5a07920c75d57393bf0f3fbb87a0262fb4da962ef8c0082acc250a8b937b7d8c95e8867f153548d22c3668e07c41f8
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d