99f836e687aef659851a4bda6663f24f0bf32ca05a8ab99013d98d59aefdf35e

General

Target

f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc
Size

46KB
MD5

f2e172e42fedc4a33edbd4d858432049
SHA1

75e07fe29618b0279ac8441c84612a8dcfde7644
SHA256

99f836e687aef659851a4bda6663f24f0bf32ca05a8ab99013d98d59aefdf35e
SHA512

c91c334e696d0b2c47e06e92aefc54448b32955726a6864662bb56e55f989aefb58d761a0b491e87eba138d1a23e22078f32965c24660c23265d093b56d3f273
SSDEEP

768:Ea19v3/BTkZLH2jFMujyV67JEzYmVkUWKvaL:h19vPBTkZLWB3uTV53

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp	office_macro_on_action

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1324 WINWORD.EXE
1324 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE
1324	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f2e172e42fedc4a33edbd4d858432049_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE734.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp
Filesize
57KB

MD5
a7ee654f85f80568522f1988a05a9daa

SHA1
a4bf6436f4a8c6041e1eb1233d338f4d23652e77

SHA256
7927ffe42c2461026422f431a399c80dfbfe6f1b88d72d9719395e867a4e9dd2

SHA512
afda009c2d884f6671f66e3e096db4d3e7844d404f758ede622c2609c04a825141187227403a58fcbc8057e929f85bea877d820b35fb1ad290d68e00254b71d6

Download Submit
memory/1324-13-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-6-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmp

Filesize
64KB

Download
memory/1324-17-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-5-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-18-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-7-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmp

Filesize
64KB

Download
memory/1324-8-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-9-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-10-0x00007FF9B27F0000-0x00007FF9B2800000-memory.dmp

Filesize
64KB

Download
memory/1324-11-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-12-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-19-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-0-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmp

Filesize
64KB

Download
memory/1324-15-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-4-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmp

Filesize
64KB

Download
memory/1324-3-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-14-0x00007FF9B27F0000-0x00007FF9B2800000-memory.dmp

Filesize
64KB

Download
memory/1324-16-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-41-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmp

Filesize
8.0MB

Download
memory/1324-63-0x00000279FCE50000-0x00000279FD250000-memory.dmp

Filesize
4.0MB

Download
memory/1324-2-0x00007FF9B5150000-0x00007FF9B5160000-memory.dmp

Filesize
64KB

Download
memory/1324-76-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-77-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-78-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-330-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmp

Filesize
8.0MB

Download
memory/1324-1-0x00007FF9F50D0000-0x00007FF9F52C5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-557-0x00000279FCE50000-0x00000279FD250000-memory.dmp

Filesize
4.0MB

Download
memory/1324-568-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmp

Filesize
8.0MB

Download
memory/1324-569-0x00000279FDEE0000-0x00000279FE6E0000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads