Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 23:47
General
-
Target
eeabc43299a4f24bb12652ec46912bcd_JaffaCakes118.rtf
-
Size
224KB
-
MD5
eeabc43299a4f24bb12652ec46912bcd
-
SHA1
533dd65d2459b4f0415ca2a320be792b095ad257
-
SHA256
f815a03a1cfd34cd3f01f63b2436d1c48b36decb4198dfd07f9156b86176d58e
-
SHA512
b006ce1a14b53ca5927fa5e27417ac5fbfad7be3ec9c9c066650513551c03913d38c23fd355df0d3e9a1727f5dd932dd4d79e20f021009c5a98701fc53d1ccf8
-
SSDEEP
3072:qV7ul3lsRtsLnRXPHul3lsRtsLnRXP2ul3lsRtsLnRXPl:Fl3lBpGl3lBpfl3lBpN
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eeabc43299a4f24bb12652ec46912bcd_JaffaCakes118.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Process spawned unexpected child process
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD525130b6b45657cb11f662f01e0f6c91d
SHA1bacf2ebb9bb0fdf1f6ea0d5d3e14677703931683
SHA256c1d75f1b7f79757fec08c60a0175cdcb6cab70450f8be040e7b38ff46442db0b
SHA512b57d6b246fc7e352e3c11a0dea472783994b6f0b5b2c227ef92bab8c7741db35b21c81e5259ccf7d2d06f7035608cbdae5eeba32242f41acf3cb92870a9bad75
-
Filesize
412B
MD55bcabaf8b16706f2d1565ccec0e6ab0e
SHA1cb5a745b4f9e39e42aeccfe8e7cc489b65e5e535
SHA2567e200d90eacd88a42391350f30f47743b254a418a0d3cd5d2b36d4b9bc4552be
SHA512429b6f77df6e702058a138e6a240a4d7d93186b4287f68a5a99e6311c1aa983ea5b59506adde95c6d03208fc68b50bbe5e93b63a6f24f54dfb88f4151be2e708
-
Filesize
171KB
MD52f3268483b9bc558e2d17747c781d8e5
SHA164618052b77e1aec400b23a8e961d79197266ab8
SHA256475f2f214e499c6031375db0e881255966d9830bae64a161444041a4e235587b
SHA51235c21ff537033b3a26cc0dfc526e7834a87a32f9f990649d57a5e24b33378f341da4afe7d52cdb15df44e9da9f25e6c7fb41cda70a1213887c204976a393fbe8
-
Filesize
2KB
MD5106f0663510b95095be03633b025ec62
SHA1e1a0c72d35913b95d08c812aaecd01ea57af602c
SHA2569dc8c029a8cf224b07247a58ce9e5232a5a1cfa32300e3f8264eb4b5ea132c9b
SHA51214187c1bc7119744c194f2c10c4a66f43bddc7059a47a651ba706d0530e19bce50ac4169b5c4898cb87efbd7d1b0140f8874fe348cb3f9ec2f85fb6630b8c7ba
-
Filesize
2KB
MD57dae7099d2a1383476e31144ac38094d
SHA1ba38f4c96ae5edb666cd7f59dabf4b53af11d4e8
SHA256a1c322a6d84031e758133175044c77d366d0bebdb0259aa525f832b9585c0e5d
SHA5128ef6c5129ab5389ede589c77dd90306417d39f37a80c6bdc78c5a01718742be7abb722b112d275be3a1bf7c0012feddf07110a150938ebe3606d778b8dfd4e49
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB