Analysis
-
max time kernel
109s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 17:09
Behavioral task
behavioral1
Sample
JaffaCakes118_8c0ee5ba0f92c3926828f153eb6529e8.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8c0ee5ba0f92c3926828f153eb6529e8.doc
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_8c0ee5ba0f92c3926828f153eb6529e8.doc
-
Size
55KB
-
MD5
8c0ee5ba0f92c3926828f153eb6529e8
-
SHA1
423f523c88b3a9ac7c2f9847da7e40e5b74e9dda
-
SHA256
8807c6374f31760a47bd677a32e2bea4e997534fa93ffc146ac07edf4827372a
-
SHA512
a039f51e5fd336f5773b243e23571c6d0c739ff42279c69d2bcb5be691986f9449b327ebcd1121faa70b86987ccdd5f40266fb538527be48df0b5f5a6c2a01db
-
SSDEEP
384:kM8EOmlI6mU4Q5kMsDW9DSiX7z72Rz5of8ScQQ8E6z6Aq2XYMv6kkqv5mQLa9:kREOmaBW9D5zFELGYdBqv5mQL
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x0008000000023fed-71.dat office_macro_on_action -
Deletes itself 1 IoCs
pid Process 2496 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2496 WINWORD.EXE 2496 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0ee5ba0f92c3926828f153eb6529e8.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
71KB
MD51130576a1ab0d49d6a8be79ee92c3cce
SHA16bcd93a5c3cda74804cd674e36dae11e7a419d4b
SHA2563579dfb7d32077a4dcafbb300608431387cb2aaedf090ab9ebc9a8732698b6d2
SHA5126844edc5ab00fd7734d78e2319f980d1432f6670a48748ce0caad3f101df1eb447f6bdb0b2c6e0ec8e8ebee70883afeee2bd4a5b8f4c787037c802673333ff46
-
Filesize
19KB
MD595aa308f9a7d33cb2093c30419251a4d
SHA19045b92637bf6a15ac1f439cd37e0f0609c70212
SHA256bbaa9b2e6e6e464827895bd15a5a7401594cb094be20f6a2828805f06f63f861
SHA512769b5e121973acc8927eb8b7a323b0c35cfd826c30c7d8f7bdb1b17cdb033cb1855a0910f2e4fb3aa061700634e722c54225721576a081e35ac9d74c2a037a7b