a4fe35c4679468bef0e318c98fe528f008e90829161144926c6bc6af40b357b2

General

Target

0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe
Size

486KB
MD5

0a22016e26a3e9175ae5fb31a50fd993
SHA1

0105e1c499f06cf96e06b445a197b1e0b59b94f3
SHA256

a4fe35c4679468bef0e318c98fe528f008e90829161144926c6bc6af40b357b2
SHA512

205ad4bf44353ef5eaa704b011baa862499ca826933359cc793bf4bdeb4974d1992c9386d83ba879cffdbcb0dfd8eae6320518ef15272dbef6b101a6e8b13aa7
SSDEEP

12288:frF2600C97Ap55ucNdszxTYZRMX00JeUg:fro6s9u5IcNdM5vMB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	8B2F.tmp

Loads dropped DLL 1 IoCs

pid	Process
2192	0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2744	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	8B2F.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	WINWORD.EXE
2744	WINWORD.EXE
2744	WINWORD.EXE
2744	WINWORD.EXE
2744	WINWORD.EXE
2744	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2344	2192	0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2344	2192	0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2344	2192	0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2344	2192	0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe	28
PID 2344 wrote to memory of 2744	2344	8B2F.tmp	29
PID 2344 wrote to memory of 2744	2344	8B2F.tmp	29
PID 2344 wrote to memory of 2744	2344	8B2F.tmp	29
PID 2344 wrote to memory of 2744	2344	8B2F.tmp	29

C:\Users\Admin\AppData\Local\Temp\0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\8B2F.tmp
  "C:\Users\Admin\AppData\Local\Temp\8B2F.tmp" --helpC:\Users\Admin\AppData\Local\Temp\0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.exe 98ED113BB0A8C0CB8C9887A81228611C08B1E89219A2D32E5E4582BDA2DD6D7B8A9E491B3B4FA292F76CF5EF5E1CC8AA55046986FBB778A29677EA60FF39AC0A
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a22016e26a3e9175ae5fb31a50fd993_JaffaCakes118.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
\Users\Admin\AppData\Local\Temp\8B2F.tmp

Filesize
486KB

MD5
cab7aecb6d462807b695037fbf04ec9d

SHA1
f7fdc0b3b5bcb19a29b0372f63b9190abfd016f1

SHA256
8220e59cd121dd3217c8763672f7b677bc618a1f46e0e877e53d6307058ffb7c

SHA512
3a0c1338ab0f0357e6c0d0e05610d3f9f7d73904c814279100762f5a8df01c9f80e7eb48457cda97eab5b0d9fb5efc1cc847014321d976ec283633668e106ff6

Download Submit
memory/2744-7-0x000000002F171000-0x000000002F172000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2744-9-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

Filesize
44KB

Download
memory/2744-13-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing