03f84c576aa87510e8c0d37e2486b40c94f3a3db001d269d4679cbcb242a4266

General

Target

04774125f6161a45612e6dec0c59119d_JaffaCakes118.doc
Size

49KB
MD5

04774125f6161a45612e6dec0c59119d
SHA1

8c96fcb34f42d21dca895cc56947f417023ce987
SHA256

03f84c576aa87510e8c0d37e2486b40c94f3a3db001d269d4679cbcb242a4266
SHA512

a008858e16c3bb2d339636c9e853a93e162d39628c496a3d6c22bb5140a7ab3e2708d4703ccb17b68178b1cf54389b905c65448fd6e7008f9236334b15389b4c
SSDEEP

192:9eTc88RSAIeeeeeeeeeeeGmTCgxJWzvkisUsfXdqeFJjA0jiQNUXtxkcz/bWWmqO:AlpAcmPIv4MeXjA0jiQgt5VG+L

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1928	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1928	WINWORD.EXE
1928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE
1928	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\04774125f6161a45612e6dec0c59119d_JaffaCakes118.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp

Filesize
51KB

MD5
b5f4d7d3ec84249cd717e9c2e7814eb8

SHA1
21a0e5526416618c53cc682073f44511b4d9b543

SHA256
b025144bbb37d05fa5f0688556079b1e6d11f7abc646b31fde2da5da01cab833

SHA512
bea7145ba02e309f7b0b4e184e8dcf5a1864623bb6171fa193502e7443c7e2b75b05b0bb9f356cded11375dba62260439dbe8d362479db464a9e821227ed9b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
24KB

MD5
ff4f1aea110fe52d59b8e1a55f876a06

SHA1
3239c7acb267f0d5e98c79da2c2dfb85ae79d634

SHA256
3a2393033dcb689826f85d5482ddfc5937b003685602268d732ed4e13dbe9986

SHA512
23709bf015fa2a12cf514356fbc54cc50da23cafad127cfda35f6ab436ff6b88073cea7d18d176b2687be89976f9b4528bc26a7e9e5c509f6d24302b19642a48

Download Submit
C:\VBD563.tmp

Filesize
1KB

MD5
28d341c72a7e794fc02a71602a379532

SHA1
4d5e2a325689595376e72aacd34582e68ac1e5cf

SHA256
7641d28e39f88898226c58d605732655637335562af35319911825cccae747c9

SHA512
e4f4d73abb9fab936896a4c28a048013e3c49bbe76031965c18f540f7700598d9a3521c79e7c841f1c43892b245653a828b112baa5a818b5ca7ada46d806f270

Download Submit
C:\temp.tmp

Filesize
225B

MD5
519755378e58a854e2bd4652f7195193

SHA1
eca94844a06772a58cafa8bb4fccb054cdb450c0

SHA256
b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

SHA512
b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

Download Submit
C:\temp.tmp

Filesize
1KB

MD5
69690d79eb459c7474ce5f029c3859b3

SHA1
dbabb04ae2e28a37387a55b03334e1e8b8d83200

SHA256
50a85970bdafe4f319d21747b32f08289850063b2b3153a0e9c1c1bc37abcf22

SHA512
4454b8f22981938b26b69417385b7a72b95433636bc2155e12c7a81d627be2dd4b58934f3d63b5479f2bab27226053507561967baed4b962f42cca47f3532bd7

Download Submit
memory/1928-16-0x00007FFA21920000-0x00007FFA21930000-memory.dmp

Filesize
64KB

Download
memory/1928-58-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-7-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-9-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-8-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-10-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-14-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-13-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-12-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-11-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-15-0x00007FFA21920000-0x00007FFA21930000-memory.dmp

Filesize
64KB

Download
memory/1928-0-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-40-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-4-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-6-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-5-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-3-0x00007FFA63ACD000-0x00007FFA63ACE000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-106-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-107-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-108-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1928-2-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-258-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-259-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-260-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-257-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1928-261-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads