Analysis
-
max time kernel
141s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 20:29
Behavioral task
behavioral1
Sample
6ca9f5d9b0304bc3a8246cf86e6db21f_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6ca9f5d9b0304bc3a8246cf86e6db21f_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6ca9f5d9b0304bc3a8246cf86e6db21f_JaffaCakes118.doc
-
Size
239KB
-
MD5
6ca9f5d9b0304bc3a8246cf86e6db21f
-
SHA1
7df607ec1c90746aa90f3ea2555dd4cae9f61766
-
SHA256
d4654f010021371fe8cb182fc484cdece66f681ed7335e79befa145a21ef3079
-
SHA512
e20dcb927ba4071afd16043ab40b6052aed1e8dd69f73a1303e2fa8e1c89d33970c19b9cd1a941d5b99889eeebbfe2864c34bb27641bc556fae7c72e476c387a
-
SSDEEP
3072:X/wDvWETOgnHJcIKBs7iEdSqctNi7n4mwL:X/avWETrHJ9AGUNt074mK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 2608 WINWORD.EXE 2608 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 2724 EXCEL.EXE Token: SeAuditPrivilege 640 EXCEL.EXE Token: SeAuditPrivilege 3940 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 640 EXCEL.EXE 640 EXCEL.EXE 640 EXCEL.EXE 640 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ca9f5d9b0304bc3a8246cf86e6db21f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2608
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:640
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD51d2953617f2f3b213c6c07efe6ae387c
SHA1f2e42486e6fe5dbc65a7593099bdd5a0255cb8ac
SHA2563fce6970a6b1d2d3a7a50efc1fd9844bdcaf0f72c56fb7ce3cf58d9eaf7cfe7f
SHA51253d8d995a3c44a9345c5f8ec815bc207218b8be9683c20f2d956873a5dd9629185e7283adc811a1ab2d977537c75989a5ef9fed92d662fd977aa6e72cf7364bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD55afc2ed3a5461227b6a9069f01737463
SHA1c66c0d3008b387b5d8a81f385ec8f929f35e2e07
SHA25663e257007eb2eb605191870921101690141ef0f0a420f7496256eed6638e760d
SHA51231ca996d673381d856b23121bf711e9fad8f4938fcf0192992b579b3e3a4461d71aa3361aab5ee381f3bda46f7c29721b29b4d7696223afe0dbf91697159fa84
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD511b948939bf1214b38b02fe97a000de3
SHA131ccfc0b167d04b85b842716b67f1d3388692e63
SHA256a1a28c3f3989233030fcfe1900ebd7880395cbf1707089b3e78b1f1cca92f7b7
SHA51219cc138d08580b4785e6b624579e583d7b060b10fbea42759d527bf0bdaa617a29e64300d6ecebe3a665ab2a9fc39f87064416301b7b91d7c3919c89717f9fea
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\06D07FDA-37A8-4A7F-A3A5-2990353CD8BF
Filesize169KB
MD54a3e116f0253a22f233697e619c28e24
SHA17f84a1cb8452ce5775e564821a38aefb05e8ad4c
SHA25607aac3b4673160340d5c8f8d4ba173256cb0bbb8d8b6998b4cc99f498c554a8e
SHA5120ac73a1d112c18c06929789b34e0c44ada92d63d8d70991cb12fdfe1ac3dcfa61b74286341721a8f79a560e0533d3f1ea5c0650b6091d7c8e2f22113d109f6cf
-
Filesize
324KB
MD5134b5d4a84513e5eeb66a38d4d3f82a9
SHA12ec0f004224095eaf70c72840c6355b518ec4f63
SHA256f955542de1f4e77a0035c3d55f923ea3005c677f968b93268c4387aa9f5a38bb
SHA512b47f7e97b53dfe56852d0889dc0f18542f47f69b1009b78d69ab8c512b79ec25b01fd01cdd22279c2ec54267156bb99417b3bb2a26bed0b4935260a625d8aabb
-
Filesize
332KB
MD5874e05073239ce46fb73138f72a0b502
SHA16c5cfb40cc141c26048fd1c06986983e21db47b0
SHA25618200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA5124650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58
-
Filesize
11KB
MD53e7f34e6061ffe6fb2c86bc609828e25
SHA1f1b714ea195a90157e32ce2cd3903514840d3130
SHA25648fe5dca961dfda80ebd05ba4c2fba980b7c9358fdaff5455293fca9a974ea39
SHA512ccbe71a9e874993d2de9c4151248914f71e6ce2cd60d2d265452511e05d58d1e93b0d4391fbb017dec6c95d1b16c2e2ed4a88f39f2bb6adf76863d3c7fbc00ea
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
8KB
MD51540f6e0e3333d595b787010b13c9bcd
SHA13fb634d2a8e7288d50226b1eef2a95d2cf818a08
SHA25604c7bbccf1a39a0086a93aafe4546677167bdf6a8db2570c1e234644a5b58795
SHA512c04b88f741d6318b9b7eaa2e42fe6e80f74f6ffe5c57b7e304f1b69a7578c58b07997ce567d730fcc132341bc78a346e3bb6bcad9604e5d02c7a9fa0192b8dac
-
Filesize
8KB
MD5ec9280b6d6d2bb91285746c7093f2fe9
SHA18bfee94ed12e4d82358f81e20cf4b856299a11cd
SHA25690a8d250e89c7884adbfa00f292018c5f5eb3413c0e8e77c31ae341f60fecc52
SHA5120e8ee1cb2c7a67e5533e37fb3456d7b7ba91acacf3a6006a892ef106eda7d454b541b2f6c88ff16c45ebd0de03983658cb609d2401cabbd3f4a86398c62dafb8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5fd88097bc0299491c26b3e36cae2203f
SHA1988f0bb3daae5a9504dc95b317aeaf80f1d24da0
SHA256f2fc28b3d3a59ee33577e8783723854336b540a07928cbf1ec76e9e3598ecc37
SHA5120b7b9b2f2b8933db23b723851e83a0fee89d3a9fdaab0c55a3d88e588592a4ca5b0105c84b717f21100335585a133774952721a5cc2b7a179ef8de3b6ecd55b7
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5380355cea2ab06bcc91ac1948df9e078
SHA11d5715e12428689aaede4f8c66e613eca0bc0920
SHA256d891622c80ffb8ce77511493a55e0a6dc3aec6171dfe19653dc9de8ee6b192d4
SHA51272e9f6380c6eea93c9b51bbad028d7bd27cf21b8cb67badf983042eba2f34990e43618bfa0ba7f43a2fa3de0c0796dea2d83223c1c3ffc716b08ba669b7b134c
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD5fc6d0530229ae8066975c8aa284b4b40
SHA12ecefeae37b7b7f2063de67ff55696cc7b8cee68
SHA2560c6314f9788199f763617ac99c0334615f6719e1ac90645f18ba4e2f0a2c0550
SHA512688cdf898159920d5edf596e63c0e7736a13dcc73eb3fdd3bba3f0a729dd470ea54531abbb5a8de81c1a875b99bc90f5ef82e7716a4badfcace6ec360ac9ee21
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84