Analysis
-
max time kernel
104s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 18:22
Behavioral task
behavioral1
Sample
JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc
-
Size
42KB
-
MD5
911e3a9a39cb9a33cf1cf03a9355a8cd
-
SHA1
470097066e593e5f93903399bbcb37a83b8658e3
-
SHA256
83d566c37607526b26d42194e17f0602364108e008a34d52f78184e74c08702f
-
SHA512
b0002a224ed5d7cc03885b6223d635566b720d07b3efac8a5c2497ae5033998ed7fefaac499bcd423c92d24f81e4af0f39eed18ed824d811ab8aae1648cefc4f
-
SSDEEP
384:ABV04HMfH9+kM8FQ57XPOwitmDwRmLdPDpNMlzEmYMjAtr:OmVD6gQrp
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x0002000000022a98-81.dat office_macro_on_action -
Deletes itself 1 IoCs
pid Process 1800 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1800 WINWORD.EXE 1800 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE 1800 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
50KB
MD567f904687dc074666afed08e55e626f1
SHA1eddf4e516da7494c0fd9588deba91e7bcc3780e7
SHA256da1bd4dea8e881f2feadb35880742ac268ec86d99c501bb744a96e9746703952
SHA512555fbb34d26b38ab005f43bc8e5280019a8deb872855dd47e09c1f78c4a7c970680a21f4581f422d77261203233bec82bcf8968fd3b5ab601a4672058a3ffb81
-
Filesize
26KB
MD5935b8090edbee7c581c9f6be45fbd865
SHA17816f9a0cb389435b4c4ad53d5befb74fce808d4
SHA2562fc416d29167983d537ab17d70085edbdaea2f77b45671728278376886c0e92d
SHA51263f18f50727375234fbdbfd564785b3d3adcd99df3ef161c8b47c9e1b0e5523b7d766e2c9323b484f15756fbe305b940b809382b30ba3275a3e08604d2c6757c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD507ec8feb63d1ed3183b9663dcad2c1e0
SHA16ca8fb4b622a98c656bfe3c2a1d2c9f1167ea646
SHA256348bc8d4cd1ef6da98202ab6ee36e593497f712ed8a43a535ac8a4c825d2465e
SHA512ef0fd3660e0967657f1e15320417288a4d48afa9838c6b05fb0e3fdcb1177b0972b57533c8c9b5d0b820f4d17559cc652ae4c1eb70364faec8238d5715a1a084