e80140e3ce49abe4fd22db5b5645d0f3e2fc76dd91e2c32c80d6327a73517b65

General

Target

691ea1f99ccaffa5925d8a49a99a4aea_JaffaCakes118.docm
Size

177KB
MD5

691ea1f99ccaffa5925d8a49a99a4aea
SHA1

cde8f0eb8f4276c642801f947ca0e7a7e90fa8f5
SHA256

e80140e3ce49abe4fd22db5b5645d0f3e2fc76dd91e2c32c80d6327a73517b65
SHA512

35d1d20293524efe746ba28e7f5f796a3ec9efd41cad42f626ba0ccf00528562ec8e73a2d922e46cb381391e6a309708f5628510dfa484f542dc17fb81b2b3e1
SSDEEP

3072:6w8X8ZeQ91dXGHdOnzDX9xWdygjqS1XRJHB2yrlqx1Jxh3Sc7g2QhECGf:Y8QQ9XXFnzpxBmXReuGJ3ZshGf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\laodinfokqaw	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3156	WINWORD.EXE
3156	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3156	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4872	3156	WINWORD.EXE	90
PID 3156 wrote to memory of 4872	3156	WINWORD.EXE	90

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\691ea1f99ccaffa5925d8a49a99a4aea_JaffaCakes118.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\laodinfokqaw[1].htm

Filesize
5KB

MD5
1c26151c43feaaaa84343fd2d0b5e1e5

SHA1
69d0bf4c5d8c4ba4adcd416a221e8f6d0ea76d1c

SHA256
239e6159fbd31bf808d9d30b5154370d7a1b2f54fc8c8c6b86992bb924a10ee7

SHA512
7cffbeb76d5019c71487dd153e3c91b2afd114e533372e27934147bdc50d1c8b5293024c42ca653aa975644d68aa9b594a2049ea4c7ca83d4bf6e39b9c80c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF52.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
1e651b375c78cf26530d02d24c61867b

SHA1
66d5ee6dbfdcda26f0499a07660488616bec53e7

SHA256
fb41ddd6cf1335ef4489aba9805922de3b47d0c2baaff2588b6f8b851900e3ce

SHA512
2ff4bbd0b5a5b2c1455009be1c7cbd934893b3e86ace484b94c2a80199a564f26ebee0c628baaa7238a1c082f6d0d8191892c65cb667658514a9865a18ebc484

Download Submit
memory/3156-6-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-11-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-8-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-7-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-0-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-10-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-9-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-12-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-13-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-15-0x00007FFB9B470000-0x00007FFB9B480000-memory.dmp

Filesize
64KB

Download
memory/3156-17-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-16-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-14-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-18-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-19-0x00007FFB9B470000-0x00007FFB9B480000-memory.dmp

Filesize
64KB

Download
memory/3156-21-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-20-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-4-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-5-0x00007FFBDD62D000-0x00007FFBDD62E000-memory.dmp

Filesize
4KB

Download
memory/3156-2-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-82-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download
memory/3156-3-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-236-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-235-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-238-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-237-0x00007FFB9D610000-0x00007FFB9D620000-memory.dmp

Filesize
64KB

Download
memory/3156-239-0x00007FFBDD590000-0x00007FFBDD785000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads