e91acb156a99be7f700c4ec2dd4d026b2efaf466077a4a65f923b7d8cab6405e

Analysis

max time kernel
115s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356a305814e66bf96aee899ad78f6b01_JaffaCakes118.doc
Size

235KB
MD5

356a305814e66bf96aee899ad78f6b01
SHA1

d6c2eda4b130df5469bb6108e00fb93980f9f23a
SHA256

e91acb156a99be7f700c4ec2dd4d026b2efaf466077a4a65f923b7d8cab6405e
SHA512

87c9b8ec6bb8e6c6d0bd071b4256992eaa30500616875c489469b6c06ac6dfe42d368371e814a5f3ab67d55d043729a4db5a7069f0e55e6052b2fda24b1ac25d
SSDEEP

3072:pUwxv5OsmqrmrAKHjCdSR9FQPciVUTlF4C:pUgv5O4rmEDUReciVor

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
380	WINWORD.EXE
380	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	3932	EXCEL.EXE
Token: SeAuditPrivilege	760	EXCEL.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
380	WINWORD.EXE
380	WINWORD.EXE
380	WINWORD.EXE
380	WINWORD.EXE
380	WINWORD.EXE
380	WINWORD.EXE
380	WINWORD.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
3932	EXCEL.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
760	EXCEL.EXE
760	EXCEL.EXE
760	EXCEL.EXE
760	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\356a305814e66bf96aee899ad78f6b01_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:380

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
6ce14ce3b94a170455af90420b91b809

SHA1
5350fd2f0f6807735c66139e261dc2fa614fae94

SHA256
bd3942272b2b9023a5c76e00f687f41e3f2ca4708a8a17770d9797cd5a6d0cb4

SHA512
7907c1d805722d29b2e2f4f9ec96f8f5452ffda0566fd6f0d9045376b86076deb66c60f06f04ff3164341a73fe1be6954e182ea604681a8777c96f655bbc02de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0DA10ED2-94C6-43E5-A91B-543809C6D1DC

Filesize
168KB

MD5
45324475e0d7f62048e82b36dc950c60

SHA1
e1ef99a85a83b5b5a104ab12d175e8e9fa35ca65

SHA256
c0f077b5a6b4e936b72149729935ca4a7d8a96ec462eb1f4dc20d9f45a5314e9

SHA512
ed5002ed8a1d0799ba864ee2121bf8119966a5ae7623a078aacde032a03f08c4c1f1644a5835aac4068c0788d63f77ed1bebc36471929029d4538930c294ba95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
1bcdfe7a8e5ce22a6bf73ff6ceac5263

SHA1
ccc285f611034754e1ad5232e15f82c975bb9177

SHA256
98fbfe46d5c2f489cd52fa7d8cd3361f35f1d545c9aa43aa238548ae14e09cb4

SHA512
b13429c4d8e326f6f4f01c5f1bcc1d1145969b743267487bf6d0311dd7796aaf8bfe14584aa0776ae2d1635f76bbedb75b19af97dc6426883272ef255f6d306b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
ff17841d76efd9f9e8810b0b34af32fb

SHA1
9582362ad68cf5a25de9e6129b3de0732a889864

SHA256
bd8534921a1f447734b5172c527d774d90cca0af0ed0407200636fcd13301af7

SHA512
14062fb161c16ffb73132a40e0c1c56e5af79492123d3d2cb8f27c1116354e3f40ce1818bf08e2d45db7c69ffb5341665740be117697452a647ebce8049119bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d234c9a7371b85897535e8d6a1f6af7a

SHA1
a3693f42388243d28989b75f59a7ce29fe0a7e07

SHA256
4a2bf226b118d353afcdf78e522edadbb57cb9a42cc35779c564179affc7e308

SHA512
cf854204879fabaee766ba5031292ce6856091a04d1ac38231eab101bd06098b53d175827cae80b744e889ca6a2e02c5e2a91ffc98b56421739a8cb81ecb29d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1f30154414a96ab8b3d5f16003079a7d

SHA1
23c37d0e10554b4ff9f5afd99357b4954c4e030d

SHA256
89bc1211b4f3be0359f87fd242be1bac486280fc073f41a7454d4de9d47c0304

SHA512
e607c944741b2257f83e3e9fba3625eae50591f85ed6f276a08ed56fda94f9eefff7c0496755036f6d6386c95d52a5fca331e3fb61af245a1a0bfd9f38fd80cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
0196ce110dc31cf81b75ba5c33689ee9

SHA1
674b398e0dc4c5cfb47f7cc46e38a72d61fbcf9b

SHA256
16cf38491889e902a394815579abc9b31751bf9ef50ed78b740a885a77d0774b

SHA512
10b9dbabdd10775cda6b16023bd441a4488218c325af5fe1258ae8dc287ae5014d939e49af86deecbfca1018ae00abb327caab439afdc00e4f0ca0486d702b27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
b65760cb367dddc5995d2bbaecc4bf09

SHA1
4738e22b1e7f8c9763e9534030c056077f47d752

SHA256
846dee0dd8325ccf25e67fe6e70e3ef9c3cb17369dbb50c229d24d78de8c9c56

SHA512
db307695f0387e00d487588173bcc5a98e70923e6c8dc9fc99b4ba4129256a0580f7a838e5cc30d59a7e933bde7039f846d66d25ec8c54fa8922913ed5934652

Download Submit
memory/380-10-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-1-0x00007FFBD13CD000-0x00007FFBD13CE000-memory.dmp

Filesize
4KB

Download
memory/380-17-0x00007FFB8EC90000-0x00007FFB8ECA0000-memory.dmp

Filesize
64KB

Download
memory/380-15-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-14-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-55-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-56-0x00007FFBD13CD000-0x00007FFBD13CE000-memory.dmp

Filesize
4KB

Download
memory/380-57-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-58-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-111-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-13-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-11-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-12-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-16-0x00007FFB8EC90000-0x00007FFB8ECA0000-memory.dmp

Filesize
64KB

Download
memory/380-8-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-9-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-0-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/380-3-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/380-2-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/380-4-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/380-1099-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-7-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/380-6-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/380-5-0x00007FFBD1330000-0x00007FFBD1525000-memory.dmp

Filesize
2.0MB

Download
memory/3932-1090-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/3932-1092-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/3932-1091-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download
memory/3932-1089-0x00007FFB913B0000-0x00007FFB913C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads