Analysis
-
max time kernel
102s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 16:27
Behavioral task
behavioral1
Sample
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc
-
Size
44KB
-
MD5
6c2823f90322d1f0f6bccda71490485a
-
SHA1
faecd289e11103cb2c4b3f2ce03933ba348d764a
-
SHA256
a0e4e73ae659b896893702a2f0f2ed251a89103cf2d0fc8235dc4d639f63fe1e
-
SHA512
65d14ad30072f2dda8a0473d096fe76abe76cafc2ff41a6985bfa3ec4c79b080119996b9cc649fef8e158f436decb7e7fde589e5ad6940bd4fee885097957d38
-
SSDEEP
384:lxwHTZzB1vdBmrb3ilC5mijXjfk0t6VV:lcTZB1vdArriA5mYk1
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x000a000000023520-292.dat office_macro_on_action -
Deletes itself 1 IoCs
pid Process 4652 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c2823f90322d1f0f6bccda71490485a_JaffaCakes118.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
880B
MD50522d8dcdc9860ea7f4b9966c5d466b9
SHA17dd16a4d0159a3c2bc81fdb7893a0ebdf925bdc1
SHA25680742dade91f8c7521277ea827aa93e8a13d100997a24f9afb4e3568224cb8d0
SHA5120ab2c5abbf5823d36d452440d1f0d8dd1e0f297855dbb8536de9eccad29e62c2585f81fd2f3f6e804221421f011482b10f402645ae0784dd550269452c5c6c08
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
49KB
MD58dced94f1a50bd9930af23ff6d334064
SHA131245be06bf6a61003bccf462a355e3a86d8f8f5
SHA2569d416e977dbb4de19ecedbac21f1ffc5e2523d4debbf41834dc255ca3a5c9fba
SHA5122a0d869cdba147b35c0580eee104005d5a74a9ba230e4fd2686078fc1dcab2b9f4ce76a42adbcfd22212bce802875e93e1121ccb39d11b8459d67fdfc6dbf02f
-
Filesize
50KB
MD5a43fdb2e31fb314aca78134b478830e5
SHA1583fea9d0f142bdaba9a5cfaaa972fc0d118fd01
SHA256947fcff569c7db5ff1a4afee14a794782e76b620a612d7f3a7ec2ba5885c423e
SHA5125be9d321ddb3382f4811a4b0e73527a7e417e82b0a02bcaea2a782d06502431f84bd6f6d4b3960683a0783defc47abcd4a8b806bcf03a1acdc0a01571f413f71
-
Filesize
24KB
MD5d78e920fae880b5d06a1d5cfc4f5df71
SHA14537ba8ce40a18f083a14f36ca0d412784b4c3fe
SHA2564ae18bd6d42caa69143b60732c0cc00ab8e96772811154c14292bcf73ca72842
SHA512497144b23d1734ea8ab4dfbec415217d6ce0ed178e97ad292c4e9909109328af60c6753bf91874294d551f28d008665832fec6e1ff2b9204421f725f2cfe16f2
-
Filesize
27KB
MD561e9996bcebb8ef3c3ff30b9b659dd6e
SHA163c294fea04986068b6ad3b481753b94923c2ef6
SHA256a8f3eb3a0568623f8f9635cb793032398ac0c6f5c143e387e8e3257ea8288472
SHA51290fb346ff7d193ac78b1ded3dc822e9732a2a1a74649503aad649f2baa4c7f8e25b8675a83f80685dd03abb5906c230cbbb75fa57926bee2e359492aa51c66e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD5dc7a588575aeed7e2cd7581c050c49fd
SHA181b1a059724af7f27d5bc8321df0692095825b04
SHA2562e7efc952be8dd4e5d09a171a219e0386376118a1920aa1fdb370f56eb77f634
SHA512318e3e524c7b3d30f6de842ca58e3ebfe2ec4a205c543e0872b99c55beda4b04fc9bacc4fe2659d5741335e9d9533ce65a3c0377050ec31c4983da715fed4ea1