86b77086f3080a513c8ea671350984420e02fea6e216a23b8fc927f353593648

Analysis

max time kernel
117s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6514db0353dc21015acc303978e50b_JaffaCakes118.doc
Size

238KB
MD5

2a6514db0353dc21015acc303978e50b
SHA1

32b8138b335965fe93c8fa4562c878d95ddd6670
SHA256

86b77086f3080a513c8ea671350984420e02fea6e216a23b8fc927f353593648
SHA512

e421a371955ed92c599bdf8edb50bac43fddb02d14b7d707c2d61d6145ddc4b29848db3a462e0218627b196370cc11885536c1251e8a8e0fd3e8539599a29585
SSDEEP

3072:PAw1vPEfOgnPJceKBDaWOdSHm9/Qk6tWhL:PAKvPEfrPJBA4UH4YIx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1048	WINWORD.EXE
1048	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAuditPrivilege	3556	EXCEL.EXE
Token: SeAuditPrivilege	440	EXCEL.EXE
Token: SeAuditPrivilege	4416	EXCEL.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
440	EXCEL.EXE
440	EXCEL.EXE
440	EXCEL.EXE
440	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a6514db0353dc21015acc303978e50b_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
8aeba5ef34d2c62116c9390b815359a4

SHA1
b9e606e82fdd865c6688aca6d98f41eb6b77cc5d

SHA256
ca19ebd383f6289c611902409302b602e3aaa421e85a117d5906d35968a3ad3b

SHA512
aed17f5a2f0248d3b50ba5284a1148e5373e4545a24e5702f991593ace206c7d56287faf9d396834e5807e8ef5b9d3e2e4ab43b8d7b936bbe2bc23ab55f98697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

Filesize
128B

MD5
b81c1c054579e6ad870ad3ae75f596b5

SHA1
d4d7926d0e09de91b900dfd048a58f4d576ebcb4

SHA256
12acbe68425a73aed4a51f764341046709785ad21475f13b31988ff8bb56ae45

SHA512
2303130545b8633ea7f346d9f8507b2666f6a9aad5311f30b82af92a553bf2443dce8313991886aae59b8963b6ffa1b65b2c6424021fc4be9d942e96a0e84de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C27BFFF9-B52D-43CA-9351-4B693B81BE31

Filesize
168KB

MD5
52ec28b3958557ca94fa284886627a05

SHA1
09fac11ac044a446f2929fc6cd36b68337c17cea

SHA256
0b291945ca56da8a0d3401ec5f5f0f270161acabffe040272ee10e30294489e4

SHA512
d8df082fc1e97b0194194e2463989a8f84c9670d4257bca8c64ebe73ace708965686b962d450e6938820a426e02d7fa64e5262e97854e80cba355b3058ea7c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
40fd784e33b7b7f9660b17a75e2b5fa3

SHA1
2d12af57f1b018caf6284901b3e5467d316af383

SHA256
5de8b4307cd5978f10e9433c0559d54bcb10b11d94745849a717d5af298c506d

SHA512
2f31f1d8d25975212d5e90c944266e2276fbbf40b69a0b7057968892e9b93eba77e2699c138f02b84db841372746ee28b0696a85d793a60cdd95c2b7db8810dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
8KB

MD5
d74dcf729f52bb5a953103fb80ea6def

SHA1
8fc0a9f7f489074aa53db84fae641599677e1955

SHA256
1c6b8c929ccdc0b14a4fd07ec0136cda5549ad1f29341e0324ab6dd3f356f4ba

SHA512
c998b9259416c1c25b941cee090c87d44ff464e0375cea5ab8259be502d60d5c59698e9d4eb28e50c48e16b0ca481529153d42fd5df5e44e7b66c012c472c407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
ede573dbf3bd5ffdca6825f0b1c9dda4

SHA1
5805f91e12816d9feeb6017d51aea1eac67eeadd

SHA256
9b13bc0cb78e3c4ad0c290d3c8d70aac5a3e9fb097d354f27e058b2561e75c1a

SHA512
9c52ca2d925a57e41f33d3bd4a41ee20955a0dfcb4a0cf1c386546c54bba77d90c6615db751c9672c6147ce5a0de4f5e023f99ae5e72eb7b28aa1704134e7ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c678d9f5d0e8b8e03b93817785b1d245

SHA1
f4eb3f5235dbd51ec6e33afa08706e95efc0cef0

SHA256
7f7e0abf323fbb0dbd9b2874837d410597ecd9094563fba52f5bcf4274390903

SHA512
33466725c5c38fc27d39c33cff3a291f59ad228a861f5e573f2bccf0d495907f401b8796797fe3764f4effdffb6115c5eb3ad01017e1376767bec76f33abe1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
00058b09daebf9a24e8fde009c06ab78

SHA1
e52a68359217d1e8dd8161a8de17eb648ac61ad8

SHA256
c470e50f5aeecd682fbc1fe2ce14a1bf26092a64263f2d77f7dd597238d3d737

SHA512
73ebabb2880274adb6b246c44f7f9552edd20113c06bd68577abf28f4de31bdb003848a2c34195fdb097de2fb93992729e411d5907025aa3ede2b109ca6f49c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD303A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
2d275478bf47255fb271f1a680026453

SHA1
4b2e971d3f1cade93bcc16dafe88b05d265627d3

SHA256
4ffb3c0ae33d7ceac754c98ca7fbf0213be36ead9abd32a003b4fb1449d4b825

SHA512
9bb647b029a16a90728480a89adf27ee799d60bc4db386a80682772276eb6d218b0ed2467f000e468cbc2e1c0a2e624e8aead455318016c699c470ac2992825c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
b112ccb5efdf6b4557f94c5b04b1376e

SHA1
9a87e458261e659ba2473c6c2d12b5123f8c780c

SHA256
489c2b5a9c760a81bcd2c7b9dbd9c39bf2d21f48cab03d92f19bce4230d47bed

SHA512
78537db62835c14da7fbb0ede8403191b068de28de62a4983bc57d308c8f59a1308a6a97e2d8eb822f70b029a34d4321ff13f056aaa4051fb39d9120bec096f7

Download Submit
memory/1048-39-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-1188-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-19-0x00007FFA31470000-0x00007FFA31480000-memory.dmp

Filesize
64KB

Download
memory/1048-8-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-13-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-0-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-14-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-209-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-17-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-18-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-16-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-15-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-9-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-5-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1187-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1186-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1185-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-1192-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-12-0x00007FFA31470000-0x00007FFA31480000-memory.dmp

Filesize
64KB

Download
memory/1048-10-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-11-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-6-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-7-0x00007FFA73710000-0x00007FFA73905000-memory.dmp

Filesize
2.0MB

Download
memory/1048-4-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-3-0x00007FFA737AD000-0x00007FFA737AE000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download
memory/1048-2-0x00007FFA33790000-0x00007FFA337A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads