bfb8d13fcb64e3d09de2850b47d64492dbfc7bba58766546c1511f1fa59a64c9

General

Target

adc39a303e9f77185758587875097bb6_JaffaCakes118.exe
Size

230KB
MD5

adc39a303e9f77185758587875097bb6
SHA1

134d9e732a33413519341e4947013e7c7e521415
SHA256

bfb8d13fcb64e3d09de2850b47d64492dbfc7bba58766546c1511f1fa59a64c9
SHA512

6db6ff0de121a8f41e51fa011f17d14c9910a57ccf5bcb0237879a9e15f6d1eda209c5bae969c8edf5874ce44f90c826919697694aae86768c6169044d982230
SSDEEP

6144:CpQpG5qElACE3GDOCG9FsEpkKBFaPwdgiCdp:8J5AGiC4DR3ao9Cdp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4440	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1112	WINWORD.EXE
1112	WINWORD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE
1112	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1112	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	85
PID 1464 wrote to memory of 1112	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	85
PID 1464 wrote to memory of 212	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	86
PID 1464 wrote to memory of 212	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	86
PID 1464 wrote to memory of 212	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	86
PID 1464 wrote to memory of 2780	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	89
PID 1464 wrote to memory of 2780	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	89
PID 1464 wrote to memory of 2780	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	89
PID 1464 wrote to memory of 692	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	91
PID 1464 wrote to memory of 692	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	91
PID 1464 wrote to memory of 692	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	91
PID 1464 wrote to memory of 1108	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	93
PID 1464 wrote to memory of 1108	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	93
PID 1464 wrote to memory of 1108	1464	adc39a303e9f77185758587875097bb6_JaffaCakes118.exe	93
PID 1108 wrote to memory of 4440	1108	cmd.exe	95
PID 1108 wrote to memory of 4440	1108	cmd.exe	95
PID 1108 wrote to memory of 4440	1108	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\adc39a303e9f77185758587875097bb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adc39a303e9f77185758587875097bb6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4.[¾ÆÅÂ¿¬±¸]³í¹®Åõ°í±ÔÁ¤.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx
  2⤵
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx
  2⤵
  PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4.[¾ÆÅÂ¿¬±¸]³í¹®Åõ°í±ÔÁ¤.docx

Filesize
50KB

MD5
dc2f8205b8dcfcfc8f2800d10a7c1499

SHA1
b5c944bd5872b688d0e8f5c482c7f0302d9f2f25

SHA256
887036c934ad6da0efd440a840fdac14242facbaefab1d2c3008bef61d7fdfb6

SHA512
bdc80b6b7a5434231d44b7f1f06d686769b8509b9c3fcceed3bda79492b9c28f6754bcda03ea738e82629f0febfd775103653e0abb9e4d9b3f22a9a358339eaf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx

Filesize
2KB

MD5
c33aa113c03e552e75dc5d1f961f6935

SHA1
85b38da3e19f08a339855d55006b016025405e5e

SHA256
b990cf33e86515f2acbf4d453ae708de05ceaaa9e1efa63f7bc6b3787dc60510

SHA512
dbc970016afef8d23844c8739829bc4443d6c5d6b729d5dd922f92b0efe695f24d190f0ba3f05c57b0b0af6ddc9d679e7b0a96588779e34762e2c8ac2a6c99cb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx

Filesize
3KB

MD5
dfcb6b384fd701ab87cc2004f75655df

SHA1
76f8eb903cfd2ec1fe8114399fad79d8278284cc

SHA256
207bbc0c80667458a676e9db1e8ce4e53cd7121c1bf172ec5a01f27e05a4455c

SHA512
a1ec90b3cb2fcaaa84a14a55092b961d3f9af62ad187ad31e98f7f6b7f50ad807675582068cfeb2d367ca5415b3f115fbd9256cfee4fdf2edb790ba60eaf973e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\wcl.docx

Filesize
5KB

MD5
0771a2e422397f9f67fdb170e506ed86

SHA1
f67046931fd9fa1d4276755080a06221e7932b8b

SHA256
7a6564497e9b45085528ad7e05321d4c25be53df69c52bd806e88c235de8c212

SHA512
a422c57d31b571395b8855df24b562150e802e0c3e6257750bda27b1b4a79469528a0f69e337314924bf580aeb00b19d05543d7c46cd7522232af8be7e9a1759

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1112-12-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-27-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-11-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-4-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-16-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-18-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-19-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmp

Filesize
64KB

Download
memory/1112-17-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-15-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-21-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-24-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-23-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-22-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmp

Filesize
64KB

Download
memory/1112-14-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-13-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-10-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-26-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-25-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-5-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-9-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-8-0x00007FFF221CD000-0x00007FFF221CE000-memory.dmp

Filesize
4KB

Download
memory/1112-7-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-6-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-51-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download
memory/1112-73-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-74-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-75-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-76-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

Filesize
64KB

Download
memory/1112-77-0x00007FFF22130000-0x00007FFF22325000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads