b9656022ed7793ea88b296d9cfc76922a75f962deec9e9edc627b4b108f8bc85

General

Target

f57aa3bbe3fae170bdda042d979ed6a4_JaffaCakes118.doc
Size

37KB
MD5

f57aa3bbe3fae170bdda042d979ed6a4
SHA1

ccefd52e896ea971d6dcf13e21eb7248e80db908
SHA256

b9656022ed7793ea88b296d9cfc76922a75f962deec9e9edc627b4b108f8bc85
SHA512

032ae1a8fc9522b56f4f5310b62940a028cc620dc19539c25d4d1342b82069c803c965dc4d4afe5b4b7c6d6cc3e9384167044d28be8b8e4e8b60f2cbed6f58d3
SSDEEP

192:45KwpT858VR85SbWFwCLfyEzMv7v8xkqPG3Z869J36uxyb6Hqv5RZwQjv7bwpz:g8d7yEz0j8Fwt6uUkqv5AQjv

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp	office_macro_on_action

Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

3572 WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3572 WINWORD.EXE
3572 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE
3572	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f57aa3bbe3fae170bdda042d979ed6a4_JaffaCakes118.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD1BCC.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp
Filesize
51KB

MD5
c85b142a63c7f5c51f699889e4f648dd

SHA1
774ad9dec8b7571227528de9025a3607de93257b

SHA256
4b54bb6be2e4c80d25a427a0c2e563c6246bd56fe816f6d31304945462c0d400

SHA512
da52ffd6b8b4ae21a8fd903d8f4e68cfb99888c8e1a1634de9f8c710ebafc43d7f2f905c43564cbe118261c264b25ef24dcc62b48b2f0b1ef6dbeadc5e6abc0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
Filesize
23KB

MD5
7329162f837851f7ebaec84c39fa7977

SHA1
5f60fdc6013f60acb804cc864072fd2cd0e9cc15

SHA256
347cd7e21b73ddae6d3eaca9e3b9ef2cfec8a12fc6acda251a2c4d6cec164fe0

SHA512
37962fe405a4e39b06ed53800d8db7fa5712d32c4d1d32d4ef3c848b4bc1b3abd526ce7f2ff9979f9c6011b5c38c4fe46c5f4ae2b186a1cf3a24f8bcc585da09

Download Submit
memory/3572-20-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-580-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-6-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-7-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-9-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-10-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-11-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-12-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-21-0x00007FF9C36D0000-0x00007FF9C36E0000-memory.dmp

Filesize
64KB

Download
memory/3572-3-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-13-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-14-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-16-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-17-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-15-0x00007FF9C36D0000-0x00007FF9C36E0000-memory.dmp

Filesize
64KB

Download
memory/3572-18-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-19-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-0-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-8-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-5-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-71-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-45-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-4-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-2-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-70-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-44-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-72-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-73-0x0000018452B10000-0x0000018453310000-memory.dmp

Filesize
8.0MB

Download
memory/3572-74-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-75-0x0000018457670000-0x0000018458640000-memory.dmp

Filesize
15.8MB

Download
memory/3572-1-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-575-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-578-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download
memory/3572-577-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-579-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-576-0x00007FF9C5DD0000-0x00007FF9C5DE0000-memory.dmp

Filesize
64KB

Download
memory/3572-36-0x0000018452B10000-0x0000018453310000-memory.dmp

Filesize
8.0MB

Download
memory/3572-581-0x00007FFA05D50000-0x00007FFA05F45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads