38cc5994cb75abd23266c12a968c182da34342a66c6dc660b0068cb4b7aa806a

General

Target

a3d0110724e2a03abc79aa64b0b48e1d_JaffaCakes118.rtf
Size

691KB
MD5

a3d0110724e2a03abc79aa64b0b48e1d
SHA1

a62e44d78c93d8a43e6ef9482f9da5ad852c7aa7
SHA256

38cc5994cb75abd23266c12a968c182da34342a66c6dc660b0068cb4b7aa806a
SHA512

14b18e967a2ea40d1b1978b90d482a33d886f756109a85e5bbf21982d043adec4d04db0f3fe95c1a8b78e911a22b327cf2a6a802df79c3f2c4f60957697e6d95
SSDEEP

12288:eQ5e6wJKHHFD0sxCdBkoVzzP3/138GmQNlLAUjDwE1sNEze6wbl:eAe6wJKnFD0coVzzPx8AL1vwE6NEze6o

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\exe.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\2nd.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\inteldriverupd1.sct:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\decoy.doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\task.bat:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4904	WINWORD.EXE
4904	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4904	WINWORD.EXE
4904	WINWORD.EXE
4904	WINWORD.EXE
4904	WINWORD.EXE
4904	WINWORD.EXE
4904	WINWORD.EXE
4904	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a3d0110724e2a03abc79aa64b0b48e1d_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{7F3E94DF-5A10-49B3-BEA8-7B0CFD713C09}\inteldriverupd1.sct:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4904-12-0x00007FF9F5440000-0x00007FF9F5450000-memory.dmp

Filesize
64KB

Download
memory/4904-6-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-15-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-18-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-8-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-7-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-2-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-1-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-11-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-10-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-0-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-4-0x00007FFA3792D000-0x00007FFA3792E000-memory.dmp

Filesize
4KB

Download
memory/4904-70-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-5-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-9-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-19-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-17-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-16-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-13-0x00007FF9F5440000-0x00007FF9F5450000-memory.dmp

Filesize
64KB

Download
memory/4904-3-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-39-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download
memory/4904-67-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-66-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-68-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-69-0x00007FF9F7910000-0x00007FF9F7920000-memory.dmp

Filesize
64KB

Download
memory/4904-14-0x00007FFA37890000-0x00007FFA37A85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads