Analysis
-
max time kernel
106s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 17:30
Behavioral task
behavioral1
Sample
JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls
-
Size
44KB
-
MD5
8d938b2f2ba46ed3d82f5cbc52da35be
-
SHA1
e7ad11bfa000f82f818a536d5dfacc66c7146257
-
SHA256
220e19519e204c15d2ac8b39155e37d6775d73c131e3f339942b68d4547239d5
-
SHA512
a0af76076a7ce006f4632751b69efa3224597be803362dafbc6dea89cae848744a0ca7b1b8c3671429e81aa4cd0345b8ea1681493f5967f203c4d87bd5281d9c
-
SSDEEP
768:DTBI18WsJZayox5tWTDGCEJb0tx+MZl1AVS:DVy8WsJgyLCYlsS
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3884 EXCEL.EXE 4692 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 4692 WINWORD.EXE 4692 WINWORD.EXE 4692 WINWORD.EXE 2876 POWERPNT.EXE 4352 EXCEL.EXE 4352 EXCEL.EXE 4352 EXCEL.EXE 4352 EXCEL.EXE 4352 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3884
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4692
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2876
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5d0af564b3b8c07150bcce7bc27706df4
SHA10b4bf37d61991bd3b8b492e78948f4524171c18c
SHA2564b6471ff31994a9e95812118d6ad76d76cf524a0050f8e98f03cbcbc0ddf6145
SHA51220b368814ea41a45484f7d5c46a31c15ec48be9c27b201aac286b9f161ded3480d04da1d0508a52398c9a5d067660abf8245d72110a6ec43af116d3a199ccbb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD524db6279b1dea48e7f76ee167c41055c
SHA137dcc3b90a76fa8f3a16c8adf446794fbd6340c0
SHA25628c8ce857a74edfeccc6f4bb56d722584a03a0c3b8c9973663069b747f18986c
SHA5126573205e31d3169f6e03a84cb8ab06b4174c9dcbe527d82101a005aeb16f7cad9c629ba3176b1dc3015a8de4cb594240a3086c8c70dfc53268382a455da87689
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DAC258E2-3920-47BE-A726-A97825762044
Filesize178KB
MD5ca8586d3c05325a2849bd59af1a186ce
SHA1d1e0572acccac58cf092e6d14fce757bf3b24bde
SHA2564c73c2626c47f4762bfeff27abb84f8889ad9040cba57ad2a337f88d7a026d45
SHA512a8341366bb1e3395e285a012266b53d9cfb9ba46a8991f475b35506bf640f1a2508f72253778539ed59bb589a887b2fb620717481a3edbd8c7d92be79d8911be
-
Filesize
323KB
MD5f0ae0f46e9371cd56176a95907282623
SHA13ff54df89976ec740650c0a929787645baaa9b0f
SHA2564eff24f92c01822032916c8db336480771e0082632066bc3113c55b0f7f79b9c
SHA5120f04eef9450d7c5e8142949b6b8fbe57181e2f7f84e5ccc48b8d371569b90a030f2db25c2bc7803f09cf8ae98aa0f01a19e634fb0a87bc47d8b6a16cd400c9c1
-
Filesize
372KB
MD5360b737e372be6a79e6256946203bb42
SHA1e8d393c9a6020e02909cf36877b97b4fd4252211
SHA2567dbc4ec6bb3680ecc7765928aef275a1badf1920fa1b5abcd375b6d60cb19874
SHA512c211c99aacac2967853c1b514489e8fb21e2acdee80cdfe0d7f49b3478a1cf98e7f4828feee21a3bec4aafc3b445bd9b5a1b7d2eaf71344f2f1d90224e00c0eb
-
Filesize
10KB
MD51c390f18e0bf26885e0ebb5165ae98e6
SHA1a762f4df38970b24265c1904425bba51929185e6
SHA2568120d519df75bf4f67fad8fadd4419bc484b5ce420d4dd3f7ff5182684e45f80
SHA512381f73eaf96d05536af5a234b0066dc21166158ee36c1077294a55263cfb5cc6033c9bc74d821940cd141c2f20ededd71800d9e3e7d76693a57393677f074c4d
-
Filesize
12KB
MD51470de433abf5e334bc26470de8c2a46
SHA16eafb42f3b857e5ae41cfb54100dbea19a67d802
SHA2566ceea400e5b0234cd53da7bfcae996a546a91e441a4df64a74a2580ea67de1dd
SHA5129f03eb9a6a1a2ee770e40c08ede2edba02426ca95ab9fa4331fe41fdad74f4d00d89035104189f5d4a2b3cc3a5a10444a12d51c4a60ebfa0b3c2b6a2f6efc6bd
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD57cdfcbbbd6db499a040fcb4cea61be11
SHA18504addabb2769566b80b69470c09c6863ef5904
SHA256a186d60c3264ba1a5219860c65a532ca115624b23abb8b748f06db23b5d6a4d5
SHA512f507a02a208ab23848847989fe6b895ca64836faabd9e0d56dd5f83f60216176d1120d4f49bcdc93cd53040c62e8a52718386f3109f2e791752323a3bab87083
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5c76756d080929e96f7f3ccbda1b3e4be
SHA118f7012e71f2127f9bdb77373c4ef40f4bbae435
SHA256cdcb7c2ebd09700987a00e831af1fd7df57a36ab68bad7bd4ebd3abb8e7e9398
SHA512358615b1b59d25df267652fed790e0102d46d9ada5e65bea681ef550dbb63afd95b9d49b09862f75bbda9222d8c0562dcc80ee37aceeffccf14e674875e18ad9
-
Filesize
438B
MD5ea3eb315e0473ef570921d62755cb385
SHA1027e8f1108150ab4cd8cd922abec528ec0c525e0
SHA2564a00007afe74b621e6eac149a6388b32b510287350e4477af7a6e68ef9e38f5b
SHA51229fdcbb6d38857222f0b244644393603a6ae3b475ecd221c0c63ce6ba6241d2b78e4abc1d3e7ffe781fa059df997349e82cb3e00f2d9632911bae28cd517d558
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5f74972b5b678c34c74384efbc79e3dab
SHA198b7e88b184d00a107b8179d097bb5dcbbf4b169
SHA256162ffceed9e0cba00edb2b26c28b995a58cc6e3cc8500c3c1229768d6b83dad8
SHA512e49036b56d7aead3aee1796ebf27ab311e53c19a8218f78c748680b58b503fa4ac26ba0639e3b2787a25eb33811089a675092cc6dd2b65877fa5355290d13409