e80140e3ce49abe4fd22db5b5645d0f3e2fc76dd91e2c32c80d6327a73517b65

General

Target

691ea1f99ccaffa5925d8a49a99a4aea_JaffaCakes118.docm
Size

177KB
MD5

691ea1f99ccaffa5925d8a49a99a4aea
SHA1

cde8f0eb8f4276c642801f947ca0e7a7e90fa8f5
SHA256

e80140e3ce49abe4fd22db5b5645d0f3e2fc76dd91e2c32c80d6327a73517b65
SHA512

35d1d20293524efe746ba28e7f5f796a3ec9efd41cad42f626ba0ccf00528562ec8e73a2d922e46cb381391e6a309708f5628510dfa484f542dc17fb81b2b3e1
SSDEEP

3072:6w8X8ZeQ91dXGHdOnzDX9xWdygjqS1XRJHB2yrlqx1Jxh3Sc7g2QhECGf:Y8QQ9XXFnzpxBmXReuGJ3ZshGf

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\laodinfokqaw	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2244	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2244	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2244	WINWORD.EXE
2244	WINWORD.EXE
2244	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2088	2244	WINWORD.EXE	30
PID 2244 wrote to memory of 2088	2244	WINWORD.EXE	30
PID 2244 wrote to memory of 2088	2244	WINWORD.EXE	30
PID 2244 wrote to memory of 2088	2244	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\691ea1f99ccaffa5925d8a49a99a4aea_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{176ACC80-8894-4165-A663-89B8704724D8}.FSD

Filesize
128KB

MD5
2c940c9d42f82a26b3fd0c2091ba6a00

SHA1
afffebf9df659f14bc44d688cf4f5a90dd06d65b

SHA256
82f6f75c5af49542d70058db570cafa6991ef37f643d36d6dfdee1c6508a4a22

SHA512
4fa6aa92b7b17be6ec22bdbb69383fa6b0d7a76b657ce5820b260147113ec267959913c5c1d88ff96d07046e0ecc16d1f4720a5b6b64df3061cfe2dd453265ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
69e746edc65e11321f02a8a5c81c3bfa

SHA1
7aba26d18f95f6eece5ede1a0abac2ac64dcbf15

SHA256
ab145b95d49dcbb13fd88370e929ff1dbda26e4c7f6c95b46b48742c5253884b

SHA512
053b9b48522454dfa82cfbf68bd541b84a9111800229830996848f7f2cf5bb066f5960a43c461d38e3e7579d1b6e20bd4fbb7f084a9ed344188466d22991d9a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DE6BEEBF-7D82-4E3D-8C16-3F2AA9CC5595}.FSD

Filesize
128KB

MD5
9db045ec90b50884577668c8c39a881e

SHA1
e5086d5d3a624f9272b8fc78e960b0349175bd24

SHA256
a99a0ee2a2a4ca1f5eb5cb8d2db647b905c2773646d69f7fcb7ddd7d51478451

SHA512
d77cad17edf575d6a329a8b5a10fcb18c09d9dfcb5a28e9eb55f0c00ed2f3b1b1e68737c5fb5d02d07296cab1343a78c69d1927a5cc5f102a38bd867ae3bc28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KJ834MBR\laodinfokqaw[1].htm

Filesize
5KB

MD5
1c26151c43feaaaa84343fd2d0b5e1e5

SHA1
69d0bf4c5d8c4ba4adcd416a221e8f6d0ea76d1c

SHA256
239e6159fbd31bf808d9d30b5154370d7a1b2f54fc8c8c6b86992bb924a10ee7

SHA512
7cffbeb76d5019c71487dd153e3c91b2afd114e533372e27934147bdc50d1c8b5293024c42ca653aa975644d68aa9b594a2049ea4c7ca83d4bf6e39b9c80c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\{44DABE86-06DF-4CF3-9932-5C899009409F}

Filesize
128KB

MD5
0bf8d827a5a99458e40062e4b2a0e9d3

SHA1
254d9409d36d27ff0696cec54f8c175f23d3286c

SHA256
b935306ee236c2e9a1a921577b8b75d5e16fd980d44f34a2e6f86bf28d55c12d

SHA512
6561bf0feab34e237f712bbc451ff4ad943f5743fef7425bc557138cac7a227c255b428cf09650f34ddf1b792aa6756b6e39cf5c908d95d247bc5672678e973a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7c9baf8d24753eac632b29ee814834a6

SHA1
327c4b62122e59ff3b7251666b81b49b6e6d2e02

SHA256
5fe2c29d6a2884a8f1fa50ede25af4cc0bcb50afdb99a9345bf87e894c3b6e41

SHA512
2d652bf2d252fb34e599782b0a1681fc6b2550211eec086a2526597c7062bc2a372eb9986aef11419ecd9f38eb5100fcbb7d90d6b030c4a1615c212b73722399

Download Submit
memory/2244-0-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2244-2-0x000000007100D000-0x0000000071018000-memory.dmp

Filesize
44KB

Download
memory/2244-90-0x000000007100D000-0x0000000071018000-memory.dmp

Filesize
44KB

Download
memory/2244-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2244-116-0x000000007100D000-0x0000000071018000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing