ead0fc292493d1765cb4a18c6d24a38f81ed96c4d52df10fd89c2fca83693b9c

General

Target

f5a11a001d08808f78804d40dbb15028_JaffaCakes118.doc
Size

44KB
MD5

f5a11a001d08808f78804d40dbb15028
SHA1

eb31679e688aa59d867dadb65c1875bdeaa77226
SHA256

ead0fc292493d1765cb4a18c6d24a38f81ed96c4d52df10fd89c2fca83693b9c
SHA512

2d4a5249a6ca11159075adb608f2f9bd84e06c52b865df5b8b4f8d07fa76e142981c0d94e31ab4b41b101bf692c0ef2f748e825b4474dc0c2b7c130abd5acb35
SSDEEP

384:u1UwH1+1JtgdUdaguSW218idbpJ3Y+zVsblzwpEpMjyWuTcW4thuigd:k1+1zbdYFiC+WCmXWD0igd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2072	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2072	WINWORD.EXE
2072	WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE
2072	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5a11a001d08808f78804d40dbb15028_JaffaCakes118.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3171A6BB.wmf

Filesize
880B

MD5
0522d8dcdc9860ea7f4b9966c5d466b9

SHA1
7dd16a4d0159a3c2bc81fdb7893a0ebdf925bdc1

SHA256
80742dade91f8c7521277ea827aa93e8a13d100997a24f9afb4e3568224cb8d0

SHA512
0ab2c5abbf5823d36d452440d1f0d8dd1e0f297855dbb8536de9eccad29e62c2585f81fd2f3f6e804221421f011482b10f402645ae0784dd550269452c5c6c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9353.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
50KB

MD5
05cce49740da0310ec9761c1cc1eb029

SHA1
fc6a6e3ce2f2feaa73c2a4939c6bbc004aa873a4

SHA256
b14246388da19ee53d28d92b118ae58a2cf3e1915d1eb738f204804786acce93

SHA512
d3c94c66db25a65fa770a10aba61721fe0acd61dfe8adc79491dcd2e6e520dfce0e7c54af81c01fac399ee5870d638884de06144ce1fa597a788c1a7ef123214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2072-19-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-33-0x0000025D91870000-0x0000025D92070000-memory.dmp

Filesize
8.0MB

Download
memory/2072-7-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-2-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-8-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-9-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-11-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-10-0x00007FFB3D7A0000-0x00007FFB3D7B0000-memory.dmp

Filesize
64KB

Download
memory/2072-13-0x00007FFB3D7A0000-0x00007FFB3D7B0000-memory.dmp

Filesize
64KB

Download
memory/2072-14-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-15-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-12-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-16-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-17-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-0-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-20-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-18-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-5-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-49-0x0000025D90470000-0x0000025D90870000-memory.dmp

Filesize
4.0MB

Download
memory/2072-6-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-4-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-3-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-541-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2072-542-0x0000025D91870000-0x0000025D92070000-memory.dmp

Filesize
8.0MB

Download
memory/2072-543-0x0000025D90470000-0x0000025D90870000-memory.dmp

Filesize
4.0MB

Download
memory/2072-550-0x0000025D91870000-0x0000025D92070000-memory.dmp

Filesize
8.0MB

Download
memory/2072-1-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-563-0x0000025D9C530000-0x0000025D9D500000-memory.dmp

Filesize
15.8MB

Download
memory/2072-585-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-586-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-587-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-588-0x00007FFB3FD50000-0x00007FFB3FD60000-memory.dmp

Filesize
64KB

Download
memory/2072-589-0x00007FFB7FCD0000-0x00007FFB7FEC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads