3e4e4b7c305b2f4e43ddc81bd06b364138a122a476419cd54c2e624d359584d9

General

Target

27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
Size

903KB
MD5

27b06b55ed6b50ad7df0d74062bd61c8
SHA1

293194543a2fa5b156fa42455a31e03e3be5718c
SHA256

3e4e4b7c305b2f4e43ddc81bd06b364138a122a476419cd54c2e624d359584d9
SHA512

a68e1750faaf027ee43a12e5fc7c8e4ca3c8fe7d0534e0e09032d9ee9f521566c2f0d3482e449a234495d7e3d4f59f04d8b5ce365c322b68110d22b786741247
SSDEEP

12288:YwG7ARCTY01Jklgo7F4uK5Iu2QFh9U73S7lCCsvs1val5JIk+CTK5+ZNAc7y:pGEUTY00NklCCsk1va5V+S6+ZicO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2564	TYUDmSZEnGCYux5Dygdx.exe
1772	3L4JkieB9Mq2KVzdwISO.exe
1692	czevs.exe

Loads dropped DLL 10 IoCs

pid	Process
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
1772	3L4JkieB9Mq2KVzdwISO.exe
1772	3L4JkieB9Mq2KVzdwISO.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\czevs.exe	3L4JkieB9Mq2KVzdwISO.exe
File created	C:\Windows\system\czevs.exe	3L4JkieB9Mq2KVzdwISO.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	1692	WerFault.exe	33

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2124	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	WINWORD.EXE
2124	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
2124	WINWORD.EXE
2124	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2564	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2564	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2564	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2564	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2124	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2124	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2124	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2124	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	31
PID 2868 wrote to memory of 1772	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	32
PID 2868 wrote to memory of 1772	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	32
PID 2868 wrote to memory of 1772	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	32
PID 2868 wrote to memory of 1772	2868	27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe	32
PID 1772 wrote to memory of 1692	1772	3L4JkieB9Mq2KVzdwISO.exe	33
PID 1772 wrote to memory of 1692	1772	3L4JkieB9Mq2KVzdwISO.exe	33
PID 1772 wrote to memory of 1692	1772	3L4JkieB9Mq2KVzdwISO.exe	33
PID 1772 wrote to memory of 1692	1772	3L4JkieB9Mq2KVzdwISO.exe	33
PID 2124 wrote to memory of 2544	2124	WINWORD.EXE	35
PID 2124 wrote to memory of 2544	2124	WINWORD.EXE	35
PID 2124 wrote to memory of 2544	2124	WINWORD.EXE	35
PID 2124 wrote to memory of 2544	2124	WINWORD.EXE	35
PID 1692 wrote to memory of 2028	1692	czevs.exe	36
PID 1692 wrote to memory of 2028	1692	czevs.exe	36
PID 1692 wrote to memory of 2028	1692	czevs.exe	36
PID 1692 wrote to memory of 2028	1692	czevs.exe	36

C:\Users\Admin\AppData\Local\Temp\27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27b06b55ed6b50ad7df0d74062bd61c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\TYUDmSZEnGCYux5Dygdx.exe
  "C:\Users\Admin\AppData\Local\Temp\TYUDmSZEnGCYux5Dygdx.exe"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\XUCvZJb5XZRkB8IVMphm.doc"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\3L4JkieB9Mq2KVzdwISO.exe
  "C:\Users\Admin\AppData\Local\Temp\3L4JkieB9Mq2KVzdwISO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\system\czevs.exe
    C:\Windows\system\czevs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 300
      4⤵
      Loads dropped DLL
      Program crash
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TYUDmSZEnGCYux5Dygdx.exe

Filesize
82KB

MD5
3371e72d3d19690e36849819fb385ed0

SHA1
1eca9e1d3fe82fcbb73cbd1053fc5f446e9367e2

SHA256
501bc48439cb0d6afc23fa79459c8055d3e31a540fc4f7e59c21fd9c33211cb9

SHA512
7066796c72ade31f67fb395175588a5a445a9aa96846eb27c07bbfff163cac3403fa7f28aaf16a765794adf4871e13a99aa9fa42324cd0ae8b981c44cb85b101

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUCvZJb5XZRkB8IVMphm.doc

Filesize
184KB

MD5
b4275bf83f912977607e0ed1fde885fb

SHA1
229d0ab0a09da5bc536dac1d4a4d251f196529be

SHA256
39be1f33995034a259fc76359308a8c9a23d2582b445fbc5c1d349cd21b98351

SHA512
962844dc760549fb7855b326000f7f389d6858b50f776a79210ba596091ad6444cbf23b6cff0ab42a815ee54e6d7fb48520841b70e5dd11c8ae27a9223b01574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7761cffb2659935dcdefd8a4623cfed2

SHA1
ae900f63ab8c3d5e970af8643e56099d7722f623

SHA256
d20a5ee5755701ae168094c2955e6158bdcf2defa09de96c631ce2e22346dc2f

SHA512
054a4e144f0e1f017108e17da70b1290f3a8f6b0dbf4b3cf022c57357dbb130810b1c838e658edee1fdfb7db0c7c405217c2d8c7a49ec9a0d32c53526ca1e2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\3L4JkieB9Mq2KVzdwISO.exe

Filesize
605KB

MD5
858bfdb8bff24d8dec5f30922478d050

SHA1
6274279654efe4452d667801c72a79540da651e8

SHA256
f870bfc697124b09e3a63b618c8969015925f0a34d73ed3c15fb1fe9dab7f34b

SHA512
a668e5654b0e705942223a680c35db59338ea7274be4ea40adf23407afed0c62682c020e5d3fc647e62523228516ac9d506c9efb8f5676245288fd9c9b7ad193

Download Submit
memory/2124-23-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-15-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

Filesize
4KB

Download
memory/2124-34-0x00000000716AD000-0x00000000716B8000-memory.dmp

Filesize
44KB

Download
memory/2124-57-0x00000000716AD000-0x00000000716B8000-memory.dmp

Filesize
44KB

Download
memory/2124-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-73-0x00000000716AD000-0x00000000716B8000-memory.dmp

Filesize
44KB

Download
memory/2564-52-0x0000000000400000-0x0000000000406600-memory.dmp

Filesize
25KB

Download
memory/2564-12-0x0000000000400000-0x0000000000406600-memory.dmp

Filesize
25KB

Download
memory/2868-10-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/2868-11-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing