7f339a6a379776457f21cffe38366854d5a3b26eb3cf4821afec7340d89b7d1a

General

Target

90405d5d27fc68d66732d687a254cd71_JaffaCakes118.doc
Size

98KB
MD5

90405d5d27fc68d66732d687a254cd71
SHA1

7bdb2ead6d781f691207a7c4d0a75d6e9e5d592f
SHA256

7f339a6a379776457f21cffe38366854d5a3b26eb3cf4821afec7340d89b7d1a
SHA512

1d3196cbc65373d94af79354e46a41127a95033db1cb0912cab88fed49b675a20e20ceefab93182041274ff05f65f3cb0a81c59504a27b556924e6d3ddd35ac7
SSDEEP

768:VVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBIeBepWL+1o9t:Vocn1kp59gxBK85fBIecYL+a9t

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4568	WINWORD.EXE
4568	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 808	4568	WINWORD.EXE	87
PID 4568 wrote to memory of 808	4568	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\90405d5d27fc68d66732d687a254cd71_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CA03953B.wmf

Filesize
494B

MD5
4023d990b472c77c6e543a3e62713abb

SHA1
5213777b7f0187ab90dd7ed050444ee5359b7540

SHA256
70168b52cda0361c65d5aeccf6a453cd25bf422a6911568f80bd3049db849143

SHA512
b038c0b9cb01fc3a9a3af7cc1c0d898ab03af436e70137f79d1333ea8320a829f402a483a8a8488430a096846e5c3b5eab9f91c40f97316772565697b748fe59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9354.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/4568-8-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-21-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-5-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-4-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-7-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-6-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-0-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-10-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-11-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-12-0x00007FFED5570000-0x00007FFED5580000-memory.dmp

Filesize
64KB

Download
memory/4568-9-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-13-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-14-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-18-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-1-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-17-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-2-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-15-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-23-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-22-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-19-0x00007FFED5570000-0x00007FFED5580000-memory.dmp

Filesize
64KB

Download
memory/4568-20-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-16-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-3-0x00007FFF178AD000-0x00007FFF178AE000-memory.dmp

Filesize
4KB

Download
memory/4568-534-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download
memory/4568-559-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-561-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-562-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-560-0x00007FFED7890000-0x00007FFED78A0000-memory.dmp

Filesize
64KB

Download
memory/4568-563-0x00007FFF17810000-0x00007FFF17A05000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads