47e30a79eab8af3746627f870e156848444dd04f322889de099d401548563999

General

Target

f5901d3610d861a2fe41128ca2c62a91_JaffaCakes118.doc
Size

124KB
MD5

f5901d3610d861a2fe41128ca2c62a91
SHA1

0dfaaed640165b02264690e2d765957f967a2e02
SHA256

47e30a79eab8af3746627f870e156848444dd04f322889de099d401548563999
SHA512

c89164ef0191473e9660761caa9c4d1a7422eca93fbf1ce7b7adee70776884af4f87bc45ab74d7c3ffecd9e98663df1e13bc4ebfd6b03db3f9203e24df436548
SSDEEP

768:LWqwElhrmZkjj75dRF2/vpgqVFa2Sl7dqNok7/k0DXUJiiJpiJruebrnPQ4ENSmB:twyj758Bp7xShdOtsefYM815

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1952	WINWORD.EXE
1952	WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5901d3610d861a2fe41128ca2c62a91_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD14D5.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
24KB

MD5
a04fdb78fe50e3eb6f7577f166fb5ff9

SHA1
c1056a498cf809f97bb960ce7f0510e6dbd7e244

SHA256
311a20c65a6915df5e5e0cc1a0c5f361177431579c27383724fab993225f3ae3

SHA512
98c3437d9508ed90ec3866ac883e60cea5298fb576f6f6476a969cdba93027ed7a50c50920043dd73d4f262cbcc80b84028b24e6f3e5b42ad4888aea76c80236

Download Submit
C:\VB5732.tmp

Filesize
2KB

MD5
a7f780d80ae6b71dc0e4241742dc2cb8

SHA1
76a0b930bbc4c0f946c9f6f6f278d23221f4983b

SHA256
25fcdcdfd54a6c19b6617b155500024f3013ae66a93febae493272f3180d9d72

SHA512
1e551bae081aafe4519857730cda5ba642845ebbac25535fb7a6c298e59aaabd35eaf31cd742e1ee4529ce0ce48374ff41ec35b6df7ac1c0e2fcc7a06cf8528a

Download Submit
C:\temp.tmp

Filesize
225B

MD5
519755378e58a854e2bd4652f7195193

SHA1
eca94844a06772a58cafa8bb4fccb054cdb450c0

SHA256
b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

SHA512
b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

Download Submit
C:\temp.tmp

Filesize
2KB

MD5
7b1e544e69978376087e010b7e9ebf99

SHA1
ca11610b5f80486b5ed8649b0f1d9b86929bdf15

SHA256
5f7de7b4b751dc251eb2af7ee4e00c309d9c0f189904a9fbad1b9390109b2720

SHA512
00ef086715a203eda7eed4271b40cd12e6a5203299a4d0b996bcb5c48ad010666fc2f9c417e5dbf3a18d0634f323e3ea7614541da280419f21aa73b92ba3fcb6

Download Submit
memory/1952-9-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-24-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-7-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-8-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-1-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-10-0x00007FFA919B0000-0x00007FFA919C0000-memory.dmp

Filesize
64KB

Download
memory/1952-11-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-12-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-13-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-14-0x00007FFA919B0000-0x00007FFA919C0000-memory.dmp

Filesize
64KB

Download
memory/1952-15-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-16-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-17-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-18-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-19-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-20-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-22-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-6-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-25-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-41-0x00000231C20F0000-0x00000231C30C0000-memory.dmp

Filesize
15.8MB

Download
memory/1952-5-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-0-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-3-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-4-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-579-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download
memory/1952-580-0x00000231C20F0000-0x00000231C30C0000-memory.dmp

Filesize
15.8MB

Download
memory/1952-2-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-653-0x00000231CACA0000-0x00000231CBC70000-memory.dmp

Filesize
15.8MB

Download
memory/1952-736-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-737-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-738-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-739-0x00007FFA93D70000-0x00007FFA93D80000-memory.dmp

Filesize
64KB

Download
memory/1952-740-0x00007FFAD3CF0000-0x00007FFAD3EE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads