edb2a4a4b15fca13c27508dc73a350c72ddd8b51a0519c1773cf9de976ce9722

General

Target

2bd4377e423f3b9ca1358a72270688e1_JaffaCakes118.doc
Size

242KB
MD5

2bd4377e423f3b9ca1358a72270688e1
SHA1

8d09f32e62b2164247d20e94a9d4b4f60cfd195c
SHA256

edb2a4a4b15fca13c27508dc73a350c72ddd8b51a0519c1773cf9de976ce9722
SHA512

d96f277db9d90f700e6f854edd7e3b47c70c063d97e9edc7483165ed36d80e716f3cd298b173ce89f4d090c94c3397a35af09b6d6b90f38fcdc6777e9c234046
SSDEEP

3072:Xvw9HXPJguq73/IKBWyAIdShTt1H5KQlDGydfUXD4c:XvKHXPJi73wAbUlTlDvFUXDp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1180	WINWORD.EXE
1180	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1164	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1180	WINWORD.EXE
1180	WINWORD.EXE
1180	WINWORD.EXE
1180	WINWORD.EXE
1180	WINWORD.EXE
1180	WINWORD.EXE
1180	WINWORD.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2bd4377e423f3b9ca1358a72270688e1_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
7286b42895be25ae92a2552a65359aa3

SHA1
d96867163ed105d4251e8d42bf4149e9a9130aff

SHA256
0487da9fd128dbe60d19876a58f677383d68d00a082c56e6ceacd678a50e3504

SHA512
d0ec765f417129848f3b824eba15977db086acda99a374b6a159b93a057f9c131178bc5e615ae06d83786e7eaff988e6867cfc2841667148ef08f82a7c9a1d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
af8f74bab5e0ec29c60b5b1c6d740d59

SHA1
a9b9eaedf7722ed28d0718abe7b4e571f2c0b197

SHA256
328ef3d54212f8b5facd40577a441e4ceacf92a4291dc2a13487804328958b4b

SHA512
81021f82b59886edd12faa7c3aec1e6db9e2c3f41d6ebf96e7d07f21a6d0d8f9ba11b085882bca5c75a58820e07a812ad00a74c76021bad97cfbc769896a0a30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6b731e0f29a392e9fa1521251bd20bf2

SHA1
4c648fadf3d65c9db62b6337914ea11df1b2ab02

SHA256
673ee16868e87f7408e3592b9dac7032f4fb6cffe6d7b21f4904f5b9ce292166

SHA512
afddef7178506ac3df410606565102f691cde16fab13f33b82b3e8673cc7e4f23d21daa4edff778477e7743c745f3e77685e04d6aa3610dea2ddf490f53402e4

Download Submit
memory/1180-15-0x00007FFDC2B40000-0x00007FFDC2B50000-memory.dmp

Filesize
64KB

Download
memory/1180-16-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-7-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-9-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-10-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-12-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-11-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-8-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-0-0x00007FFDC4F10000-0x00007FFDC4F20000-memory.dmp

Filesize
64KB

Download
memory/1180-3-0x00007FFE04F2D000-0x00007FFE04F2E000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-2-0x00007FFDC4F10000-0x00007FFDC4F20000-memory.dmp

Filesize
64KB

Download
memory/1180-14-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-6-0x00007FFDC4F10000-0x00007FFDC4F20000-memory.dmp

Filesize
64KB

Download
memory/1180-19-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-20-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-22-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-23-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-21-0x00007FFDC2B40000-0x00007FFDC2B50000-memory.dmp

Filesize
64KB

Download
memory/1180-18-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-17-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-5-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-36-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-89-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download
memory/1180-4-0x00007FFDC4F10000-0x00007FFDC4F20000-memory.dmp

Filesize
64KB

Download
memory/1180-1-0x00007FFDC4F10000-0x00007FFDC4F20000-memory.dmp

Filesize
64KB

Download
memory/1180-588-0x00007FFE04E90000-0x00007FFE05085000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads