56fc71f92fd431be7506a8c2d5aeef7bad9ddc70471cfb1f68c3fcc4c4f90e0a

General

Target

66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe
Size

33KB
MD5

66de8e793c5b12fc59e2433a800350bf
SHA1

7b22fca3d9b793ec6b41847a252d0af779d0970d
SHA256

56fc71f92fd431be7506a8c2d5aeef7bad9ddc70471cfb1f68c3fcc4c4f90e0a
SHA512

f068e58ab7d081e82bd5fa7cffe6eb67cab2ab9fbf5f117322b9c6e846b2175439b008871946159b7b0d34fe3776983a265e71b5423034104c3da8db1d7be5b7
SSDEEP

768:cyTq5KLMqsOj6LGkD19/wwlP8/DXfvbOUDp8leGs3nStS0v:zScMeWLGkD19/wwqrX97GO2t

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe nynw.wmo mynleeq"	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2784	2108	svchost.exe	30

Deletes itself 1 IoCs

pid	Process
2784	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2216	66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe
2108	WINWORD.EXE
2784	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nynw.wmo	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\nynw.wmo	66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nynw.wmo	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2108	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2108	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	WINWORD.EXE
2108	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2784	2108	WINWORD.EXE	31
PID 2108 wrote to memory of 2784	2108	WINWORD.EXE	31
PID 2108 wrote to memory of 2784	2108	WINWORD.EXE	31
PID 2108 wrote to memory of 2784	2108	WINWORD.EXE	31

C:\Users\Admin\AppData\Local\Temp\66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66de8e793c5b12fc59e2433a800350bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Process spawned unexpected child process
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AEA7.tmp

Filesize
20KB

MD5
699bfa9503ddb0d74bc019a9c16ea636

SHA1
3b929de12de62b81a57daad5c8b34fa8170d36b5

SHA256
32bbbd5084e7f0b483a997a3f2fbb9c5ee1744cef5f5f26cf7b11b2ff88bd60e

SHA512
e133d3ada07d18165d6e76e18baa60e4dae922f650e6b4b42306b5a44b1f24b1e95298e8905028abf200264ae1116da198f3665eb7bae35eea8fb0f7e61b02a6

Download Submit
memory/2108-13-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2108-22-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-6-0x000000002F641000-0x000000002F642000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-8-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/2108-23-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/2108-10-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2216-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2216-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2216-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2216-25-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2216-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2784-16-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2784-29-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads