Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 15:24
Behavioral task
behavioral1
Sample
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
-
Size
204KB
-
MD5
68200a45478b22badfd8d4b28e391c46
-
SHA1
6561cf457dc56355a8680957778cb52f3a8afd18
-
SHA256
ab8f3de244826eb9113aa788511bed8d9a2675a6e672f58c8bac8160d76fdc6d
-
SHA512
a61924cf7f7a92617f2e9b3eefb67ec36df6125393272a88c63cb95812d000192947d5505fe60b9aa7b3508d13f28da53bb3da51bd5e4ac79393536466c4cc4a
-
SSDEEP
1536:MtPrT8wrLT0NeXxz1DweTHrTPxyP5J8b5z2Lk3tl2lvli8+7XG6QKt42+w:M2w3keXxz1Dfnc+M0OvlibX3QJ2+w
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 8 WINWORD.EXE 8 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 3632 EXCEL.EXE Token: SeAuditPrivilege 1372 EXCEL.EXE Token: SeAuditPrivilege 1472 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 8 WINWORD.EXE 3632 EXCEL.EXE 3632 EXCEL.EXE 3632 EXCEL.EXE 3632 EXCEL.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1372 EXCEL.EXE 1372 EXCEL.EXE 1372 EXCEL.EXE 1372 EXCEL.EXE 1472 EXCEL.EXE 1472 EXCEL.EXE 1472 EXCEL.EXE 1472 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:8
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1468
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5c25fa00d2d50c763284dc06088a9ce8b
SHA1ded8a9c797ea71730b30317ee314050503f2a2dc
SHA25647bc3bd953888b201be49187a14c2e959c2b756b725928c6bb1d9be87ebd9bf5
SHA512b5b4be49ee0f75afbe48a9d9d3c39feb74d9510d45a5d315d1cdfd52f9f8c0bc1fba633667dff0ec898ba403aa025c5a3d8326e952211953eedc9217496ee526
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD53f30f8eceab8bfd10fe07638b9807c69
SHA135fd0e81c7810b061417d3abb1369a6e9dc15d1f
SHA256482d8ad97ef67c3f60037c6252328388d88c060da61fed97e2fbbcfda4a47a4b
SHA512eba850b7716365028eca7cf67f6c4a63989a7945c691c0f45e7b5ce4a4a460595df65234650823b16b4b5224b4c1c96b06bb785251d3c33522fdfcebf87c2577
-
Filesize
502B
MD51b0f8b404df7bebfb07c05b545dbda4d
SHA1cf109d1238dec79c46eef4b6feb0225640ba5055
SHA2562606c2ddf2819e3d57ef624fb79f0c43f501bc35ea2b5c9346b0a36d741a70b3
SHA51276378825f6a1317d6a27602222ced07c9dee441fb0c0e8f047acbdf4efc3c3c001fbfa55c5f7f33e752690bf579ee7f54390b3cc55ef63d121007f1896b46037
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD517106532757ace5c446d217d192da28f
SHA14132212bbc015f02abcecb0ebcb383de28bea76a
SHA25625cb520ad25ee40774ed13a85e946f2530bde58ef25c45396e198d8fa5548480
SHA51233305d86137ad2acbdfec36d7b9ecda49018ae47cd93aee4ef2a563c196694f17f261923a77ddcec6e2e7dac7182173a070e4716ae6eb6d2876f75383a6c50fa
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\06FEA250-DFA1-4C2D-8016-C2C8F5AC975E
Filesize169KB
MD53777b72f8a1cca2dccb160f88994819c
SHA12388364584237d2cbcd5d5ea94f4231dcf3b5586
SHA2562575d676f3fb232b2e3873cee993db1c44926665717ac0ccb4f408d92a68a065
SHA5126763e13b35206ce5a74a1031d6515d4e06af76f999f35a9259ca609d10ad92e1f233ef473c0f00b4fbd2afea8fb6d7ab264a7ad965d991e2bcdf6f5dab87ae60
-
Filesize
323KB
MD5ee7dcf1eeeb5e62e14b7cefc3d380ed7
SHA12ea854d606150cca70a1abb7671c0cc7fe09e975
SHA256a4b4b281c84b5470523f7295d3ca6038ebb3d569c0af3b82fdd85a2bb99e765f
SHA512a3ed70c6e2d0ba28482c4a78c34ca395274df44a7d4910748508752b46528a0967939e6b5e1d8935c5725ab94f1dfd7f69be0f4b82378bfa3d0fca27d60a23ea
-
Filesize
332KB
MD5874e05073239ce46fb73138f72a0b502
SHA16c5cfb40cc141c26048fd1c06986983e21db47b0
SHA25618200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA5124650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58
-
Filesize
10KB
MD52525a21a685d4af0a0a1ae5e8dbf0dab
SHA154af9c07c9e987f8fa81b08507d514dc53b0b8c7
SHA25645250e62ab332cb8065a9355c2a74656a898efed9ac7057ec6d4a922f3c96966
SHA512eba6ad9d427b759e68520bdd86a9eea8ea706cc19ad8ffd580d0d1013f695bbd14a06145f836d86d2f59c78c06fc5195db4051f10c886a12960839b892292c48
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
8KB
MD51e2be43514c8d7bb341a9a9f07ef6860
SHA141a59761d1c00aae7cddcd2c5c9238a8ebb844e5
SHA256ea8b4e42cdb2e2716ed2fa97989ab37a16ee4ec79dd0e61d2134b1914a859aa0
SHA5124ac4a96329c347e0387994a385b489fc1b4ffef6fa32d9a3ada78a3afbb2c1685ebb6416522e71758183df44e237aaa178f59f0f9a50f46202488664d4d3dc98
-
Filesize
8KB
MD51e1992073a5d2ec41ffcc8acf7fd1ab9
SHA1268886015719898d2275a506633ca6d3ba52f221
SHA2563141c6f709f7048aa039fdedadcf52ca780dc13aa586847c647190a4b33ee520
SHA5125190d893baf53541137d6bbdc486f78a9d4df4f031c2ddf60e35892306c444ab3b4b77129138ac68e98c76735319cc5a58cdbc0a6daf969a4627fb53b3cc93ea
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a9799c48917e34370b1713d3c9e9a988
SHA10350ffbd70e3719dbe9ae0ad507d61ef54d015d1
SHA25690339737188a05dd5e04a22b57053ad92b94fd91557c96856d854e6837f69592
SHA512c15a9c5bb02e569d71e88491d9c9310d724a6e7fbcd1713093a4e2614f97f74d8d5bcec29c249e9070c393100ab7778ba9a93bb718a4208b2c1a2364413e6886
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD51b5548951dddcc3edf0b67f464e454e9
SHA109ed718b9532fc913d538f4f84c431d90a117089
SHA2569af972601b1e1cf41040d573bf80060153abf9502eaa45c9487f45a2908bdbd6
SHA512f123e29ff516f40ce3214b99d43660f23dd94f9ddef16672ae66654811dd0abba532702896244e390386b188953a4dfb38e5dd4c7a58eb5154423700a72d6b4d
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD5eeed25c9b834789399cce3927cf9a85f
SHA144f9d0e89a670b982e93c1e915d0cdfd2a41600d
SHA256ffbcd65534cd9264d5c6c533dcd11fd2ba39d79a5985121591925d8850d0f528
SHA51220b0b44571a397b08385b928f23f20008b9be7da3d5eb38f8678eb19d0e1b30e1cc738171f52805af3fd0a1cbd426caabaf3b6ca10cb1178e49cdc6a15a21bdc
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD50161051aef497538db4dc2c4a2b03202
SHA1d81c4c80e0c716c6505ebb923d3a53eea2df0c82
SHA2569b14d140d9a48c343b44e2970bdf01c3c4a6b16a6060f688c982fd4336921cf3
SHA51215913730b3985dc33ad6f4c917a54dbf38b20fab5716708d99146caa174ef6546eb26bcd59c683a247691c1cb003ea03cb4cf510c3af7d676727e2c8b98b4a66