Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 04:57
Behavioral task
behavioral1
Sample
6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc
-
Size
241KB
-
MD5
6a51e95ee504da80a3aee41ac5b72946
-
SHA1
83c5d9346cc3ec0172cbcb4c6d565c2ac16e3ea0
-
SHA256
523a015e5c32f58ffde514145402e3bd4487e72aba937cfcea78b50857e6075d
-
SHA512
722bcc3e604724db4d1fe4ee1a154772127aff709fc09035adf43f33f23ca7bc2ce575b47829fa57f7fa51a1ed6bbf36fbdcd040c6327154d3f60759482e1ad2
-
SSDEEP
3072:hvw9HXPJguq73/IKBWyhAdSc8hvTXZ/UWTPHZ:hvKHXPJi73wAkUBj5bPHZ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4228 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 4228 EXCEL.EXE 4228 EXCEL.EXE 4228 EXCEL.EXE 4228 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6a51e95ee504da80a3aee41ac5b72946_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2348
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3E43292D-FB42-485A-B314-5F13CD74B24A
Filesize169KB
MD5fe726ba45467bcc93587ae83c49765f1
SHA10368ff0d2e81c1fea226c2282c9e6f9d83bb52f6
SHA256aa99c92fc2b93bb711540c592dee80c5aa2a93e7ef07590ac6ee6cde1b69010a
SHA5123bd1f61060bd587dbf76758a4926165a12fd5bb909e8545bb8a01ce60a84025483446d441e95afff917229dbfad06c9809e05d88e9efff13b6c0df47ccda36d8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD519e1e142cbc0497693346de3e2ded932
SHA167afa5a8fbfdb08e648bb7d85c20dd5643e4d8c4
SHA256965a5dfd53a038baa5348448d8b7b28829f487a39d17dbfdca9e6283b6e190a4
SHA51238735639478099ac12f4fe522bbf4891cc92a5b5552e367bfc7c5c4043eded20947bbba1b37c45655e6be689e4e96ba4565aeea69ff5b31a62837850e8e6f601
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD539d8818222ae74a4e3d285206c7a2c9d
SHA1208d67cbac86db6b75ae27117f2fd395abe12a9d
SHA25601b035e7855cfeb6d3e3f2cf05d054d0259ca4667d94ebada56357e4a28d0a1f
SHA5121ed6b333475f4b2957beb2c93974e3d72414d79706495a6d2b1f4cf0bebba801fe901c2da3b916fcdd84c2c34f05ea506e27390ed14e3bb84c671066cbffc389
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5fde44c593114eb3554d1febb9786bf1b
SHA119720d3b01b8a21c9edf2ae899fb5d873f7ebd7b
SHA256cd45296e88f9d240cdf2da2ed415c6bde2ed994220b8fa8971b74510a6d4973d
SHA5123514535f0fe798a36e0742f3fda56fa7e2f61ad90d643fe8716e8b0268ddb5cc5070db1c7b5038813e256e0ab5ab1510e13d8a6d57a408ace42e07cb988876c8