922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925

General

Target

427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Size

149KB
MD5

427d98ce83712423dd5f06af0ef50b1c
SHA1

c2fd6446feb577bd8ee2d463f09bcb3455fea73d
SHA256

922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925
SHA512

9feac20193dd044712b5d837e372e284cea9a065ce427413a5fae89050fa3897ea1cff3a196aa6e96eb6d23e5dd4588b8756b9c82d17a816af4babc5c083bd86
SSDEEP

3072:WwvyIUMmPhjAXRE0Ck3fGgOABWToz/n71dBoTlROl5KI1EGZqO:4MmPhjKRPGOlf1o3Cp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	unself.exe

Loads dropped DLL 7 IoCs

pid	Process
2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\lpk.dll	unself.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2324	2148	WerFault.exe	30

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
284	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
284	WINWORD.EXE
284	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2148	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2148	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2148	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2148	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2324	2148	unself.exe	31
PID 2148 wrote to memory of 2324	2148	unself.exe	31
PID 2148 wrote to memory of 2324	2148	unself.exe	31
PID 2148 wrote to memory of 2324	2148	unself.exe	31
PID 2544 wrote to memory of 284	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	32
PID 2544 wrote to memory of 284	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	32
PID 2544 wrote to memory of 284	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	32
PID 2544 wrote to memory of 284	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2764	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2764	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2764	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2764	2544	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	33
PID 284 wrote to memory of 2648	284	WINWORD.EXE	35
PID 284 wrote to memory of 2648	284	WINWORD.EXE	35
PID 284 wrote to memory of 2648	284	WINWORD.EXE	35
PID 284 wrote to memory of 2648	284	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\unself.exe
  C:\Users\Admin\AppData\Local\Temp\unself.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 68
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2324
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\招標項目.doc"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\427D98~1.EXE > nul
  2⤵
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\招標項目.doc

Filesize
29KB

MD5
6c77f20529a7bb180a5005421f422952

SHA1
1b43ae9ff2861721ccb726786c363b24634ca429

SHA256
31ef3fcfa28d0f5cb10d468b58755b24078448ac5c0ff93a8ab09b20527a7bfc

SHA512
3d397b442bc1887053e9779acc9f477917e8c9e39c6e022deba36da422a6cab9bc3070cadb65a3c34434d4b32729e5b23f837552b61ad9f71047475f44dc8041

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7574b7fdd4d5bc68a46c7aec2c64b78b

SHA1
3bee93d044bef2a4ed8a4fcf3860204c5f0f2102

SHA256
19c9d492ee15622064427a00088c845322099ffe93f0b7b62b5e0447538d6f82

SHA512
479f52523c2a4aeb7d5511f4c29c04f7f950d11fb5e1555d6b82b8c96d056e67ddb3ce093ff40236a769104ec4c114e60ec74f62791e574bb163041bbb044ef4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\unself.exe

Filesize
88KB

MD5
de84a438ef886bb834923b4e21dc1236

SHA1
d6652d76167118b616f36ef41fe9a1d03c468bed

SHA256
e537a97377d368fca1d9c2431f38d3c227d06a6a588fc0ea0d4ee47ab53162ce

SHA512
fa3e3b42bdb58f2922567fac2aa99652c6e94539839ab58d522f8ff5080ced3d380017493637d4a041185b778e48549c8182ba5bc00e2b49d5269f219eaa5e90

Download Submit
memory/284-17-0x000000002F291000-0x000000002F292000-memory.dmp

Filesize
4KB

Download
memory/284-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/284-19-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Filesize
44KB

Download
memory/284-29-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Filesize
44KB

Download
memory/284-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing