7bca68f07452156848a09f32b0f46bf8156682cbd6fa442003b61d180923f331

General

Target

2f3039d152bc7b16e38936baf1f305ca_JaffaCakes118.docm
Size

166KB
MD5

2f3039d152bc7b16e38936baf1f305ca
SHA1

ef393e5da9bc190783234fee92afcd29e40a49d7
SHA256

7bca68f07452156848a09f32b0f46bf8156682cbd6fa442003b61d180923f331
SHA512

c80c04ea6bc7f6dcb7d45909f9a75a6de489269eac5a81f43edb598b2bf0e26571857ccf015090bc5146f45e133db2aca955b0cd550fc0bd647a1a49a2b23558
SSDEEP

3072:TS1XRJHB2yrlqx1Jxh3Sc7g2QhjsDhroHFNyJkc67dGTZVsaqJ:TmXReuGJ3ZsyV8HTOkwZVsx

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\http://fast-cargo.com/images/file/vb/doc/39.doc	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
448	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	448	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
448	WINWORD.EXE
448	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1280	448	WINWORD.EXE	30
PID 448 wrote to memory of 1280	448	WINWORD.EXE	30
PID 448 wrote to memory of 1280	448	WINWORD.EXE	30
PID 448 wrote to memory of 1280	448	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2f3039d152bc7b16e38936baf1f305ca_JaffaCakes118.docm"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F3A7C492-43BF-4C2E-8A68-93414EBA2ABA}.FSD

Filesize
128KB

MD5
a885e4bd21f98a5440a404e2269b03d3

SHA1
cbfcf7e6b308d3164eb5a572bbfdf2a4c7db6912

SHA256
a6b6982ade979c77680c739c4d4a7764231b0a0163a21a6ca35bd64a1d9804d6

SHA512
2a82900fdb779fe487f256d6dd508739e407cb58cb178d05527d0e8a92b14d3562887e681f87afb154a541ac529554d9bbc5a1fde3afa946ce8ae5088eb1c195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
256c93f6aa123e274b329da75fd59466

SHA1
50adb79192c573a9abf7ce07265025b2757c4863

SHA256
bbb1fc4332f91d5b3e28c27b5291780d47e6aae8837be0c4a9665942ecd2d2b4

SHA512
3b27474e2daa0678ae834fb7a18a3d70b25a61cd00c4129635d943937c1043bc68391a224f9f62302ab5995bc56f2ddd6fcd8e504c08bd1f49c892cb83c15abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AA968FC2-EE32-4051-AD4B-86B241AF5FEF}.FSD

Filesize
128KB

MD5
a05a77fd9830e707d8a94c9c593818a4

SHA1
30eaa5dc0c06031edc9cbd2295b3f74dac321bc0

SHA256
54a1f5dcf2de6c1c7518ebd1551e26a23c59b7ccbc09d92c3d0f8e3767732a88

SHA512
169e87fbc9501c4de358a1f055bbb4940ae4e02a4707b92c75c6d4c8563b63707c4fd70d2fcd2b03f7e87f40c5d6bad4d37a739aebedd8d0b455a4710e1c946c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\39[1].htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74CD8D11-DD4A-42B0-8863-3AF032BE32D5}

Filesize
128KB

MD5
61bb3103b80af9aaaeb4c51d889faa12

SHA1
c9a51219f4a8a3736c9840a073a74a75b467b87c

SHA256
428aaee7449c97d49d31279c6d1a0d00cdb638569ef190b86e5579be4e7df557

SHA512
d595d7308e2533437d449b73991c95a2e05aa1619002f3992cc7154b4e6d65add0c570b082a28e199f70866f7f437ef75d0edab04fe4cf14b39f26fc7650d5c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
763a8307acaaf9bbc07f72c80df96295

SHA1
91954f25192774e102b81cba0ffc15ded0ad79f8

SHA256
2fef0e7f233a16d8a6a2fe4e8f930a17c0b3b2f4760da10066a45278ea61346a

SHA512
50f141420edb084cb7e0a5fadd0329a3d223a3dccd6b9ff119a0538ecd6e593be107137bb95a29b8ef33ca3c254b96f50684fdbdcbeefafd4d5fe2ad25545f2e

Download Submit
memory/448-0-0x000000002F3F1000-0x000000002F3F2000-memory.dmp

Filesize
4KB

Download
memory/448-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/448-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/448-82-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/448-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/448-112-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing