1e42bacdd75441a16f3b99f6b63b2e9f01786413a0218531f26d7c9b96795484

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e844abd29091f61f3c48ce4dd6a145e_JaffaCakes118.doc
Size

234KB
MD5

3e844abd29091f61f3c48ce4dd6a145e
SHA1

cbd1935e9c28f478e963c81333e0607e157c1843
SHA256

1e42bacdd75441a16f3b99f6b63b2e9f01786413a0218531f26d7c9b96795484
SHA512

64b4b6bd9f7e36a3e2c84d999359963312c81245ce9b24e2e38d9e3eedf6e1e1d5746100cb7f62c03a0ca71780508dea6a2b2472d0f1385f36cfd7848bb06845
SSDEEP

1536:pterThwxEM5OsmqrmrAK9hbhkHrTPcyhK/dRYaBMRq0T7+hAm53n:pUwxv5OsmqrmrAKHyAdSAbo7+nVn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1096	WINWORD.EXE
1096	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAuditPrivilege	3920	EXCEL.EXE
Token: SeAuditPrivilege	2516	EXCEL.EXE
Token: SeAuditPrivilege	3256	EXCEL.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
1096	WINWORD.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
3256	EXCEL.EXE
3256	EXCEL.EXE
3256	EXCEL.EXE
3256	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3e844abd29091f61f3c48ce4dd6a145e_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
c65eab4fc43fc1dc69361b6c58d388f9

SHA1
ef5be80af4e4476189c0e23b26791b6463c43b0a

SHA256
30cab8c8e291d5c7f5c6a76767be96809df5d00e20c647bd39151abc083e98c8

SHA512
a8d9ef4009ecb381671b906754d197489bfb4dd7f1e35cfb34492105f06762a0d0c09b0ad4c3aa045ae67f870f1a181d8308005cd138fd9d8fdc3bdc3ac11397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5B08BDD9-FDD1-47ED-AAD1-3C9998241427

Filesize
168KB

MD5
cbcbf38013b381d014f15bbdd31491bf

SHA1
40d6a6d4f68af93f1115cce7c1b4c6e6916b60fa

SHA256
3bc9db80f8ffc276ed9591ef78f15d6fa93553af22510131c442399d8099a63d

SHA512
764e67bb5d39f7c29c560e5b934fc6ebda3e6d3c16429575fcb335b1ee468df85f777d99df56d1a67a0f910773500b6e07ebf94f2a5109d9367701e7c0b1baef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
15d85640a64e7651822a3b2f2ab4d753

SHA1
9fac642977b6c2a4ff07747360f60377a04b9f9c

SHA256
3f6839a49fb8ec767e63d9f2e81a461ed7dc72fde8eef83108c1798448ed3362

SHA512
c48984e0b81556d7732bfe63c8ac118d0a7c289b07b6070c061fd0181204516976a8197ce681186481fe512d3bdec344fc4aee1f92f7761665579af3daaa216b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
4KB

MD5
61a8bcbcc0d2df08cd39f45302525b17

SHA1
6439819bc47e334ba00acc533c82cc04db14d27f

SHA256
59aa9dafb3806e0f828886a497b444c3190a3e9eb05b1b576814fc433576209e

SHA512
e9bbf6aa84471bdc35f8cd842973f6af932c970a5d1a91c0270cb8b6536e3e22996b0ecfd076fef1162d729ec8261f44ebd509b6daed6b2dc763c9cebbb4cc8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
289291e1b8f496ebcf929936770c81c0

SHA1
e8e36fc42380a9e5ee3d13c36ed41af82e75bc1c

SHA256
de3d53e4eb8f4a31a55b42bd0a704aa5382369ba9e957ed9560a8cd6ea8ac8cd

SHA512
671ae832984f1ac13b3b028aafcc2c9bf9643e6273c3f5643efeb49f0f420428214d6ecb753b2839d611208e83a9261a3ed503228c0138d7ac20e96b3b81d45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a1c6b6ab543adfaaaaed219a080deac8

SHA1
83d406d4434e26c74d2709b5134e0cd39f588128

SHA256
3aad73d069f7b8e9937f916c3c837f5c97e1947dc2e176d2cf3f496463b63ae3

SHA512
7d1125c0fbcfc042dcb791d80e09c282e438a2f61774fcbe2307e02938adb2ad5e3d29b4c1a37d5a66247554c092154ebd81dc352ebec5c4084e8a66b935b2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d4fd1a297f6d971c69fd8ab9d64b02aa

SHA1
f5a30bf6e6bcb33b755a2e329d2dece476bfcaf7

SHA256
a2995430c11fce9e9a84c9a246c77afdc751041c9bea2cf846e71365443e0c0a

SHA512
cf37478d7a2094c63c4066525e3e2c921a4b6ffff8e4280e52ccc7da495d279d96bddbb150505c26923f1658a4354a998efef7b07da17d061be6116cfa614f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCF3.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
6a628fc8ae9cd00e2237ddb87b3ad67c

SHA1
0a51ab5b96be77b026cb80a2b4e5a7a6f346484c

SHA256
196633ee585ca5bdc9c8c50e5c40faeeeb27496400ed940efec51b134ab1d27b

SHA512
1b90848047320076c3400580b567c06a3df129bb6f7df434ea3b21f37f9683616f60d3870c538d1cda926ccd93e8144bbef0b2d457686978c18674e86fed5029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
92c7900c65fea6ed015c3a66e888e9ac

SHA1
eecab8b37d3a8025037b2ab6e56952a65aa88aca

SHA256
ebee1b6e3f70212966324487054c4e598cc000e3c1002e8291d289e5f65513d5

SHA512
01630de178fdf960a6cacfae90adbed001de34904e87c4b2ed2e7a8706511874ca14815da0fe2101b160be3634041e7a96192bd66e2b91c2bd72cbfad71eb004

Download Submit
memory/1096-5-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/1096-6-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-16-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-15-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-12-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-0-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/1096-18-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-20-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-160-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-213-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-19-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-14-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-13-0x00007FFE1A170000-0x00007FFE1A180000-memory.dmp

Filesize
64KB

Download
memory/1096-17-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-11-0x00007FFE1A170000-0x00007FFE1A180000-memory.dmp

Filesize
64KB

Download
memory/1096-2-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/1096-1-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/1096-4-0x00007FFE5C72D000-0x00007FFE5C72E000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/1096-1200-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-7-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-10-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-9-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/1096-8-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/3920-1192-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/3920-1193-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/3920-1191-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/3920-1190-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads