Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 09:32
Behavioral task
behavioral1
Sample
6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc
Resource
win10v2004-20240704-en
General
-
Target
6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc
-
Size
234KB
-
MD5
6707a339e2ba210cce35fef5cc69dbd4
-
SHA1
a8d99e07e32806db0da3f1a9cd68ffca0bfcd230
-
SHA256
9ae7d3838afcb4c79b2886cc51dd7600174234603c9008a096c11babd2ed62af
-
SHA512
43c80c93e6edc25ee3fb197b0c2ec2b0249643116e79ab175fb9c8d662782473e89678d05f67e956fe6227bc5c1b70506ef8d57a4ef7484c68445bdc65dcd98c
-
SSDEEP
1536:3terThwxEM5OsmqrmrAK9hbMxHrTPTyqK/dRYP697qInyYnRvHMu3kriuZb/RlL+:3Uwxv5OsmqrmrAKHaSdSP6YClMck3p6r
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
pid Process 1000 WINWORD.EXE 1000 WINWORD.EXE 2956 WINWORD.EXE 4008 EXCEL.EXE 2956 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 1056 EXCEL.EXE Token: SeAuditPrivilege 4008 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1000 WINWORD.EXE 1000 WINWORD.EXE 1000 WINWORD.EXE 1000 WINWORD.EXE 1000 WINWORD.EXE 1000 WINWORD.EXE 1000 WINWORD.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 2956 WINWORD.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE 4008 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1000
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2956
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5c25fa00d2d50c763284dc06088a9ce8b
SHA1ded8a9c797ea71730b30317ee314050503f2a2dc
SHA25647bc3bd953888b201be49187a14c2e959c2b756b725928c6bb1d9be87ebd9bf5
SHA512b5b4be49ee0f75afbe48a9d9d3c39feb74d9510d45a5d315d1cdfd52f9f8c0bc1fba633667dff0ec898ba403aa025c5a3d8326e952211953eedc9217496ee526
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5455fde0a67fd79edd039481e4f208306
SHA188b2c33d28754a506453f9239139b6236747fc9f
SHA256c0001bdb34764f3bc3b95ce90368f62619a9a0984655cf98e16adbd076953189
SHA512c1d478207bad9b731a88bbdfaeefbfa54baad252db746662e8621cfd8803ec6a8b42b975e7546412f713da54aae388df32d9c44b41e5aebee4d0527a89a4bc77
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5bf58ed661baa142a92d3468f7da2ea2b
SHA18e65af0335800a050ddd17210a702b9b242a038c
SHA25613771d5625595e9acaff2f2062892daacd8e385252f8a9d41d9cf416460afd91
SHA5128241c2a7dec48c1d7ef3363d12cb4d07b25bf821f71ca8d25370e458a583ce2fd2d7e85eebd344f39e6d125bc73ff5989042658562a195393e0bab356d82c427
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4A5FAB49-EB8B-49FD-B759-5AB909F036B7
Filesize169KB
MD58bc898b3b019bb29293fb61367154623
SHA11bb1ad3e1747de73473f0f93c53f9625a71c3f8c
SHA256c6cf5b69e36bdfd81a6ddec328faef61163cb601ad50e5bb77ce2d814dd93997
SHA51260f4afcdbf6a60fbe390a0530f50151c717cf6ea093a182ad9b87ad3cc6c042543df1db954b3bf2d1d67809781b3c0c4590903cc8c5f2206ae71510e2223f43c
-
Filesize
324KB
MD5134b5d4a84513e5eeb66a38d4d3f82a9
SHA12ec0f004224095eaf70c72840c6355b518ec4f63
SHA256f955542de1f4e77a0035c3d55f923ea3005c677f968b93268c4387aa9f5a38bb
SHA512b47f7e97b53dfe56852d0889dc0f18542f47f69b1009b78d69ab8c512b79ec25b01fd01cdd22279c2ec54267156bb99417b3bb2a26bed0b4935260a625d8aabb
-
Filesize
10KB
MD5db9b614064eddffa13cfc83bfec531a0
SHA150b3b4369ed2875d6a0ac51ae9b09238fef270c4
SHA256de59f50a4df9017c39e5b9306a172643c407a1db534c0ab27bdce489295f4512
SHA512b4bd571fc2a61594cce43d4b9176cd3d3fb9760ac38cbbb8a96a281158ae1791357a4b90d03525f37faac24eae1fbd8ef40755203143e9203ae0a72daab8b9b9
-
Filesize
8KB
MD5edb73b62e6cdf4f713f81f24a5747fb3
SHA18a5586e86908534820c79fb7d1f3bce6bc21df58
SHA256cfd12db8d5e5cfa3fd4ba2ba47c9a1cf018fc58e6af5b7e4fd8a670419fd0749
SHA512513d9e7f072a857da9bc3137c1912faa5d0a9b0a7d7512d426be10e49df4cb1acaa00943456f6cd8f9d5e097e8d430e8c9f856c536b03bf08e90e162daf267ee
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD52f69e62fb5f409732c3c511c2cb2445d
SHA1b6cf73319dd5d351614359dcd256d6a9906b0120
SHA256cf97072642e6470aada58992e6746cb27beca90cafc89fc4e18af18ad65c7dce
SHA5125edee7ade69dbf53183cde758ce83bdd492360b076e0a1fbfcd74585f91a10503d9f49f5061603778b43a614f833abe03de389f13e384cfb21359aba2fe3b845
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD54089d216220241f859653bb67a22311e
SHA1002028209474b70570d6eb119417b0a26880ddcb
SHA2569d1f2b817419d3e3835803682bc685b2b8bccfa069ee7d3ee8fc7089275648ab
SHA5129a443d526731d84f3e650a9782744baabe5e13baddb059ce1ed58941864385f4361c543e08259cfd6640452dd638e8c23c31343cded7c5fab560debec5b94d4f
-
Filesize
148KB
MD5267c63347d18351e16ff53f72407708e
SHA10bde32c60caff3e3a9c8ed6ed823c179e71e3067
SHA25644d2d5f1fcbbdfd15c609d5f1cee5f2fb706aa5d73740bffca0d02c4d0310d05
SHA5121607ba990b35aea33e5061b44637719430575c0d0ff7af7818399f5c456edfc315ccf828b3bf52bdabb87b5623a55ff09ee14aa01d8c7c827edbc1a2ef168a51
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f