Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 23:04
Behavioral task
behavioral1
Sample
6528a15d6466aaf7ca5a0df70b7cb60a_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6528a15d6466aaf7ca5a0df70b7cb60a_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6528a15d6466aaf7ca5a0df70b7cb60a_JaffaCakes118.doc
-
Size
241KB
-
MD5
6528a15d6466aaf7ca5a0df70b7cb60a
-
SHA1
147185525ec1d8aa95689a470c88d20dfcb8776d
-
SHA256
3d68c11b2a1a203b1ee6687331f944a7ec1f765fbf979143bf51b860eeb5ee15
-
SHA512
c997fbeb168c112ed918bad3ab5b2e398166d92003fb553d1baf80d6ec64930499003559fa251ae90127aa8494a525701961c58e49479b08d853fe5022d9f6b9
-
SSDEEP
3072:Qvw9HXPJguq73/IKBWyqgdScYL/+KhPFHvfD:QvKHXPJi73wAhUcW/+K/Pr
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4764 WINWORD.EXE 4764 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 5088 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 5088 EXCEL.EXE 5088 EXCEL.EXE 5088 EXCEL.EXE 5088 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6528a15d6466aaf7ca5a0df70b7cb60a_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4764
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD50f8def1ac71cd37e345cf69d5de62221
SHA140577ef850cc82e7f3a73b4b3c5d2600afc7fb7c
SHA256f270b7eef83b54c1cf6cdb2be99391f51c20dcd975acd305e0f55ee9c85d9264
SHA51243595d36c34e85c7222266c942adadc5362f2a62d24b02b98fa0ddcdd151fe7d794c2f51108d54225d8ca3b38e01c40f6df3ad4d0c639b023d275f69d640155d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD5eb603825e0db85593c55865c85548221
SHA12e531cb825aff914e34f8075a936283dee1ac63d
SHA2561a99b2e1d6635876d4f2f200933c5b6b818ed46e0502eacbc09b3e87d7f99460
SHA5127402f87964d17b20bcf0bd13c2cb1d27092140c1cca615e91e6ba83bafce0d30666c7cc8e1f300a21f558da24d3e8d421dc9940abf7f69b6516e46ffd38b56ae
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E1279BF2-0F4E-48D1-B3FF-67B945617776
Filesize169KB
MD5c3d731689a9c11109550a9ecbaddf1d1
SHA196742c553439b4857c3b7bcd07798a04ddc0d8a0
SHA256006b0258df0e75f9a1dfcaea5b786171c8e043febc9711f8aba13155fc35fdff
SHA5121a04bc6f0eeb0d482c8aa8027ed02fdd093860a26fa6db45c2faf005c5788bba7b379be9d3233b7bfb56818fd32ba50c7c1bcb8cde085799a4469b128c0623f9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5d240e9f8345825edba93d9c70f755919
SHA1a71e3864148932e4f46c0fe2bd2d7f67cc85f758
SHA256af927adeae732bee4737fba69a8d5533db1f7b512133de65998144ce241cfe19
SHA5128b6e66602ae471a48d48a400cec8f8eaf34d32d925173b460855e0eddd06c0d5fba9586e8bda59dae8e7f44f94b74b873e9006f560631d252b3d6721648f9dc2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5bbd2c74222f5ab3a1e170d549118c1c4
SHA130114bea315d343053d7801e84992369cb7b4dd0
SHA256233be60dfc3284b0d141f9f7d74f2bf9128a5e1d8fc3b0953b3af95b5d2c7f7c
SHA51219d9d1e43ff2c036dd27f0e310a23ab99e7c7ab6dbddfa94936ea9424f148d9037c3482f8fc7371f85814c24e40daaa58845583bac68dc05e33aa758b8ab8af7
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5c8d2146d853fab6fd36db7632671d610
SHA14f0b38071976feb2ca4f9acd22f0c7aa5011376c
SHA256419b03d530333e1f3b9c234f62dac9506aa57083b84873115b397bd3c4dc9956
SHA51216e04e93e51f9860a14bba8f2acde42aa254f04df9acc28366ca464260fd4a6aaf1603710d4cbfaa73704bf9d8fd56c50ad789581ef6df1519f137442e74fb15