Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 19:38
Behavioral task
behavioral1
Sample
JaffaCakes118_9542beebc4df3923f8558000ed2d36da.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9542beebc4df3923f8558000ed2d36da.doc
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_9542beebc4df3923f8558000ed2d36da.doc
-
Size
41KB
-
MD5
9542beebc4df3923f8558000ed2d36da
-
SHA1
3fecd4c7583a95bad5a5e91da0a35a4c2b6bb672
-
SHA256
322542c31491f3b6c156eeec325e7157e7f2c45b76635a5c7f099a8bb391a456
-
SHA512
9ea4e5b81c4577aef5cce21599a0d08a8f8e4153e246cb72fab3765e11c271016225e954fc07324d25b1f4cf652375c1f469e78dfbd7890aeeae055508adaef8
-
SSDEEP
384:mSh1Iq9OYvNBuCm68dajNA2gV2/elFL2f3jDswi:mSh1IeBfv8daxjgon
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x000c000000023f42-262.dat office_macro_on_action -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1500 WINWORD.EXE 1500 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE 1500 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9542beebc4df3923f8558000ed2d36da.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
5KB
MD58431a989d54186d81fc63e5c82453a4d
SHA1d52da246d9e5619b23d7fa3ec3ff4f0904ab8ed3
SHA2568ff80eb67db14885e5921f1fbed6c9a6fa64b921090b469c861ceccb903e417f
SHA5123afde461482c78d868a13ee3106da41f6f1722f739aff93557740cf3482456d80f80a41482542d2ed97243abb8f95b8ee018830693273c535252dfe323b0d470
-
Filesize
53B
MD5c8593302f6c1b64645dc3da4c6cecff9
SHA1c631220f9573a8af513cd729e42957d0f1f5336d
SHA2569764c8761605cdba5db8e1a6814f84b371c8a92158e9fdcb3565d5c6a04549ed
SHA512aa61a87453067d7b74b999067b40dcf09fb059dc0276a53f5d5938a1e9606bb2c03375ee1489d9efede678ecf262b0fa33ad37c76c60d13b4be9a924f6cb007c
-
Filesize
31KB
MD56e034eb30060a420cd0facdd47bd63f3
SHA161d49d9c9386476108e18f607b906791765c9bc9
SHA2566f2696a6d9424430ef892c9fa2f45f0070772d4e8af8a1e44b8e2c675822a12d
SHA512a38acec1445534087e6134c84511c10a65708c79971cce6ccd4be1ead7817ad6d146d6905ffcbfb0221d9ee5b982395a501e09395bce92a6212be27043f0055e
-
Filesize
30KB
MD5a3cc6daae6b1cfcc52f7f396260628e7
SHA112e0ee340f3bbe225a69c3c190462a91585ab1bd
SHA2569029487910b848cf67e0b7e0be768c6afaf3ea79a839329ece6b404c7fa0c673
SHA51284ce7ba4a0cb46662ae0b0741e0adc4f08ebcfd442824d62dbdfa5fd5da5de4f767de8794338f75285e8ec358f82ecfa98e1476e768f35d29c7052539834c363
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a9a8cd98e7bc964f6bd99102ad1b9c29
SHA1655930420a3fd4e8710ba47dd4e72aa665d78a24
SHA256fee1d1099ed3d9e360017e58f2657f630b6f3333237f97e0b08bbbcb98bee1d5
SHA512e065a9064a0604e1eeb0b03fa304e79093cd5e167cd4b8f5eff2eab476455c1965c23849dc2e64cf84b5fb35b07c0f6ad70b2fafb16617dcfd59d4c6e0eb7164
-
Filesize
63KB
MD5ac13949a0fea11c62329d1d4019167a5
SHA16a4cc55075cd3c1c31a4c99842a56b031ea61521
SHA2562fbc4aed08a819a110f2ebe85a369dffc7d3f4186b53663258cec30a6fa145a2
SHA512de69ee79f3f7eda7f79fea4edd58b90cca78f8515b7405c2e040ace21265c2bca6fe3f06b3dd40dd9c268106d617b5c83a5a921a169fc96ffa65e45c27878d99