6f9f0bfa2dec9a1b1178b4ca50966833f7515b12fdee5d015977f96558fe2b4c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc
Size

204KB
MD5

3492414ac7f96cf096455293a419bebc
SHA1

a9e1541403f94ed1170ebb26e74b615367a94c94
SHA256

6f9f0bfa2dec9a1b1178b4ca50966833f7515b12fdee5d015977f96558fe2b4c
SHA512

27945244c34e7fbaced1d5ea23ff47b53f9853d6de843a7bf4a93c3bee62ce4873c3570c6793d15882fc57e8ff85d3cd69f94e6275e1b47256a22fbd82192aa3
SSDEEP

1536:ptPrT8wrLT0NeXxz1DweIHrTPQyq5J8bCXmhKGJtbJKjPNFTwe5J/:p2w3keXxz1Dfk69XXeJ8ie7

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1564	WINWORD.EXE
1564	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	3572	EXCEL.EXE
Token: SeAuditPrivilege	4920	EXCEL.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4056	WINWORD.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
fe505624ea83b89e55e0bbec60344cdc

SHA1
4703b33e980e6e5ca6783b87032df98d3ce9c67a

SHA256
af2ef2d504927a18862adb13d95ed2c7898e9c316fbd9b01279abdb5b89a52bc

SHA512
4d2ef93bcd13eb86345450851e13f4b9c34293bd8267062665594da6bf26b0e6d13fde24082e5b02583831f2d0f906877d967f1cbfcc2fec3c9a61738fa6a83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
332KB

MD5
874e05073239ce46fb73138f72a0b502

SHA1
6c5cfb40cc141c26048fd1c06986983e21db47b0

SHA256
18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed

SHA512
4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
7KB

MD5
ac17ba068157affa5708ee160b15116f

SHA1
1326aee91bee95efc22bee1bbc0ae63c90aa03ad

SHA256
d71c9c124e0380ba71976fce049ab9ee907b3011734c2148231634a8dd251262

SHA512
1ce74ce2c79e34003d411099e857d145be8be7e6000387fe7c123a7f06eb087551a0bc70707834ddba67355697db3100dc557cafc36017040d51be5052602ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
671dbfc51a13db5262dbd9f0f18a7c0f

SHA1
dbbca3bab06cc909e496ab539b58b5f22b487a8f

SHA256
65e73124a8b447b95de2ac35dbf6d07a6fb387252875ed84e20b841f45718d8c

SHA512
68646ea94bb32a84cd94554f252004dda07468b5d4bdfb8d97f0e9de3ddfe29547db1a2702562005245e7a9d2011366b4fe939dc434004b7ef7449744c5c6961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
2d7019722081ff649d38060fec37227c

SHA1
7af30879fea1b18f22755a3e92914769dae6ebf4

SHA256
0d6622267186912fd28c82ed45f26677cae4f72aa69118c2c676eb1f5d110b22

SHA512
63823460300a1be10e65f48ae0482a2a8a4770a880b6dda17c3727100b2a318c7630315cb421304463704ce3757bbf1f1703aa1bb6c8ac83bfbe8894bab98688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
997ed6fa83403cd2c21abf6446b87545

SHA1
2e6ccbca7c57734c9f85bfdbebb19390809d7c58

SHA256
aa814e363a9456364a45dd77afe0e4d807fb4d1e2f2cbef9772fef502d2a75f9

SHA512
a6031ba24ae07a6a44a9eb1243cfc225c3dffc90ced9721d384d3515f32d287134b9783e9c05703fba0259ffa52702dcf3113e7f6847079d24312c829441e642

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF652.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
f1d3bbfa8950722724754effd0261086

SHA1
3dcbcf028d9a0d0abf0b7f04ff6ce6742cccabd3

SHA256
008f11f26de0ddae4fb6a0d3e0d79b32bd624011e29a330f1ccea614e6205989

SHA512
0e72c05482cd7011cd36498e86f36286dd3c550d4e1f02e84a6b104e6c5167a2d68ee403e0448a63a80b65a0e276827ee77379d987aa8834f2192af5f19294f0

Download Submit
memory/1564-18-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-10-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-16-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-15-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-19-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-21-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-20-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-0-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/1564-17-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-33-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-11-0x00007FFDE62A0000-0x00007FFDE62B0000-memory.dmp

Filesize
64KB

Download
memory/1564-563-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-12-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-13-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-8-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-14-0x00007FFDE62A0000-0x00007FFDE62B0000-memory.dmp

Filesize
64KB

Download
memory/1564-9-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-2-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/1564-3-0x00007FFE288AD000-0x00007FFE288AE000-memory.dmp

Filesize
4KB

Download
memory/1564-1-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/1564-4-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-7-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-1710-0x00007FFE28810000-0x00007FFE28A05000-memory.dmp

Filesize
2.0MB

Download
memory/1564-6-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/1564-5-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/3572-1550-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/3572-1551-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/3572-1553-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download
memory/3572-1552-0x00007FFDE8890000-0x00007FFDE88A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads