922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925

General

Target

427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Size

149KB
MD5

427d98ce83712423dd5f06af0ef50b1c
SHA1

c2fd6446feb577bd8ee2d463f09bcb3455fea73d
SHA256

922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925
SHA512

9feac20193dd044712b5d837e372e284cea9a065ce427413a5fae89050fa3897ea1cff3a196aa6e96eb6d23e5dd4588b8756b9c82d17a816af4babc5c083bd86
SSDEEP

3072:WwvyIUMmPhjAXRE0Ck3fGgOABWToz/n71dBoTlROl5KI1EGZqO:4MmPhjKRPGOlf1o3Cp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1404	unself.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\lpk.dll	unself.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	1404	WerFault.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4436	WINWORD.EXE
4436	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE
4436	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1404	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	83
PID 320 wrote to memory of 1404	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	83
PID 320 wrote to memory of 1404	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	83
PID 320 wrote to memory of 4436	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	88
PID 320 wrote to memory of 4436	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	88
PID 320 wrote to memory of 396	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	89
PID 320 wrote to memory of 396	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	89
PID 320 wrote to memory of 396	320	427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\unself.exe
  C:\Users\Admin\AppData\Local\Temp\unself.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 256
    3⤵
    - Program crash
    PID:2080
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\招標項目.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\427D98~1.EXE > nul
  2⤵
  PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1404 -ip 1404
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD1415.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unself.exe

Filesize
88KB

MD5
de84a438ef886bb834923b4e21dc1236

SHA1
d6652d76167118b616f36ef41fe9a1d03c468bed

SHA256
e537a97377d368fca1d9c2431f38d3c227d06a6a588fc0ea0d4ee47ab53162ce

SHA512
fa3e3b42bdb58f2922567fac2aa99652c6e94539839ab58d522f8ff5080ced3d380017493637d4a041185b778e48549c8182ba5bc00e2b49d5269f219eaa5e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\招標項目.doc

Filesize
29KB

MD5
6c77f20529a7bb180a5005421f422952

SHA1
1b43ae9ff2861721ccb726786c363b24634ca429

SHA256
31ef3fcfa28d0f5cb10d468b58755b24078448ac5c0ff93a8ab09b20527a7bfc

SHA512
3d397b442bc1887053e9779acc9f477917e8c9e39c6e022deba36da422a6cab9bc3070cadb65a3c34434d4b32729e5b23f837552b61ad9f71047475f44dc8041

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
abc045f49448412320130d12252aefb0

SHA1
4e21c64d04c9df8efbc8c3e869519f575257d87b

SHA256
d3475022ce18b3c9840baf428e790a0cf65839adf8fa73eaea8a2fb21867cd40

SHA512
dabad1f35a5f9a5d645d8fdc644d394d4345dda917cd2daf9de223ef2e501481177fba41f8544ade1715f65357b5a8670406b00d29def29559096484902f849a

Download Submit
memory/4436-23-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-33-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-24-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-18-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-22-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-21-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-20-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-25-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-26-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-28-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-27-0x00007FFE1A170000-0x00007FFE1A180000-memory.dmp

Filesize
64KB

Download
memory/4436-30-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-31-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-19-0x00007FFE5C72D000-0x00007FFE5C72E000-memory.dmp

Filesize
4KB

Download
memory/4436-34-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-35-0x00007FFE1A170000-0x00007FFE1A180000-memory.dmp

Filesize
64KB

Download
memory/4436-32-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-29-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-17-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-16-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-15-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-182-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download
memory/4436-201-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-203-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-202-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-200-0x00007FFE1C710000-0x00007FFE1C720000-memory.dmp

Filesize
64KB

Download
memory/4436-204-0x00007FFE5C690000-0x00007FFE5C885000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads