6f71e7fb265201ec40a614d5739285bf90347be9acb8eb73102a0cd0e0924c3d

General

Target

68b7e1b88443f19d5f4c81c3a046f364_JaffaCakes118.rtf
Size

430KB
MD5

68b7e1b88443f19d5f4c81c3a046f364
SHA1

9c7b786ca2b65dca55be9d38118673980885e595
SHA256

6f71e7fb265201ec40a614d5739285bf90347be9acb8eb73102a0cd0e0924c3d
SHA512

89a5cc2564f8ed6194cdb4ebd99a56882933bb1e2da845b9e973c29d7bb1e9d978b8778df89731d0a2fc80ba157d754ff6e70323f51a398f3ad9d284f412aadf
SSDEEP

6144:Wl3ld+Wzl3ld+Wul3ld+Wsl3ld+WAl3ld+WW1:WplTzplTuplTsplTAplTw

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

taskmgr.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4992	2368	taskmgr.exe	WINWORD.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2368 WINWORD.EXE
2368 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

taskmgr.exe

pid	process
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4992	taskmgr.exe
Token: SeSystemProfilePrivilege	4992	taskmgr.exe
Token: SeCreateGlobalPrivilege	4992	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe
4992	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid	process
2368	WINWORD.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2368 wrote to memory of 4992	2368	WINWORD.EXE	taskmgr.exe
PID 2368 wrote to memory of 4992	2368	WINWORD.EXE	taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68b7e1b88443f19d5f4c81c3a046f364_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe"
  2⤵
  - Process spawned unexpected child process
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4992

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
a1ea63317f798b4a8794feed068eb885

SHA1
89145042b32e863139c8d3b67763d1aaeb84628f

SHA256
4cb414ada8d6af38feb16ac9db9da6a1480992aa217560134e02a72fb53a5b0f

SHA512
bf7b88fc2c725e62dfa3ee08ff5d246f17fb4397bd745a99546b8083586a8aea334a431275de65c454b8c46b6ab90b9e0053d30b616cba28ccf7593697ff21dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
2e0cb7797defc7209b77ca129f89ffe2

SHA1
4bea757f85dab1f5679b9583abc3dd05c5ae3387

SHA256
844eadd8d63faaefef8f189674b9fdca3804cb12f702d162e830149af796bbda

SHA512
8c60e4a2e924fec977c62be7b0fd03691f2664019a729fad7d5d7e400e3bd9f1aadefa983333980ce5e3864df92f963b85f187da038a6273125913493033eeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\80134B7A-9A73-4F05-8A77-BD5720939E32

Filesize
161KB

MD5
e347426bd5884efb86e3ff914bae860c

SHA1
7db46e27bbf17fa6fc54536f88aaa9afd37bfc7b

SHA256
b2ed279fe32009aecca1825a2e657d4954fcfd4bdba525c1c55cfa211483b4d1

SHA512
f1d9d6d8bda55b9f4b689b9b4b037a867755c8ac8ec17c3a2544db8f36827c36499f8e1af2478ec3aec5357ce1c3adc8ad2fdfc90617ef3b75d73f4ba9b67119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c5fd7e88b6751883eed0163d9805deae

SHA1
0ee6432f2a51ca651c83786c553a491314a3b33d

SHA256
fe3ac694001f1158eb7b0dc70f50bb4512ba0e034ecb786dad2d6baae9391844

SHA512
a85fb024e752ed34bd05488cdfd557d7aefaae05ca3ebeea71dc7544b9c4a2a946ec6c9487d70ce44db8d6adaa004bb9f1adad8f141a1714bc340a6c2ff4ebe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1676fd0b9ee6278638f3e57328ea19f0

SHA1
c1617e7fe791ae5428f4270ace77c5aba9edaf05

SHA256
57dcb323acf6dbc7ad9773b3c7de6a9310c6cfafdbb4dbfca5aecf1a6a22c015

SHA512
c4ff271d737ac1ccbf840450b5523dbcd762749e23eeb635f4a0f402d2a4d03a15871112d2a7b13769a2c4e9c1b8710740782e5106348723ad46f2bc107e8fbe

Download Submit
memory/2052-75-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2052-24-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2052-28-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2052-29-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2052-27-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2052-25-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-4-0x00007FFF980D0000-0x00007FFF980E0000-memory.dmp

Filesize
64KB

Download
memory/2368-2-0x00007FFF980D0000-0x00007FFF980E0000-memory.dmp

Filesize
64KB

Download
memory/2368-8-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-14-0x00007FFF95770000-0x00007FFF95780000-memory.dmp

Filesize
64KB

Download
memory/2368-9-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-11-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-12-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-10-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-7-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-5-0x00007FFFD80ED000-0x00007FFFD80EE000-memory.dmp

Filesize
4KB

Download
memory/2368-3-0x00007FFF980D0000-0x00007FFF980E0000-memory.dmp

Filesize
64KB

Download
memory/2368-6-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-1-0x00007FFF980D0000-0x00007FFF980E0000-memory.dmp

Filesize
64KB

Download
memory/2368-13-0x00007FFF95770000-0x00007FFF95780000-memory.dmp

Filesize
64KB

Download
memory/2368-73-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-74-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp

Filesize
2.0MB

Download
memory/2368-0-0x00007FFF980D0000-0x00007FFF980E0000-memory.dmp

Filesize
64KB

Download
memory/4992-82-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-83-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-84-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-88-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-89-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-90-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-94-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-93-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-92-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download
memory/4992-91-0x0000012870380000-0x0000012870381000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads