9fb697fef6049ad89d4dbc92fe8d78d8e20ecef964b747533928bd520be2bd17

General

Target

746be9c7b6601b953baaaef9785b8647_JaffaCakes118.doc
Size

242KB
MD5

746be9c7b6601b953baaaef9785b8647
SHA1

7be872732cac5df19393c14bb1c055a02a847874
SHA256

9fb697fef6049ad89d4dbc92fe8d78d8e20ecef964b747533928bd520be2bd17
SHA512

1590c9cb52198769081d93b779f248dc066e1608a2ea504131229b64d56fb931e4db87b1aec86c1a511c93ba336bbf34314ef34f2a245486fe80fbb7a9711bbd
SSDEEP

3072:NOw0pklIiuq73/IKBdsPCdSUoGa66kvbUWlR:NO5pklIo73wA7UU9a66kAG

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4712 WINWORD.EXE
4712 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXCEL.EXE

description pid process

Token: SeAuditPrivilege 3404 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	3404	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid	process
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE
3404	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\746be9c7b6601b953baaaef9785b8647_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A65FF6DE-1800-4338-BA61-B725E266FCC3

Filesize
169KB

MD5
b246f0dc18fe19658066f9262fb69477

SHA1
6beb80fc91e8bf28e68ca40c160ca9a19bb22151

SHA256
a35c33b17377b258a7c55edd1ab05ba21b5e91b2c68610a74154b04e4f8f649b

SHA512
cf25534b52bc78d9ac0aef624deac391042fa9d7b9adbd89095336fd464da496fe01753ad9a5173d92b3fff255b78cdd1be48bfb88dfc1cefacc034382c1cc6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
08afb71b7099e27ac14d7d3abacee23c

SHA1
8d8733c762235f72db01c1fe3018a2c9fccdcf42

SHA256
4cc3408bbf560e4cfff040922895cc8d1cd4a4adad79374a867b31ad292028dc

SHA512
22945db2decc98a025db4dd19e8ae271681d8dc9ed548f12d6d755985688e8c772472e2cbb4ab6e3424535ae869af046fbdbc6a0a1d2be8cdccafe461623d1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4807cc6340ecafb502e9a0b87cbfbeb7

SHA1
475f84c8c5948946cf8d063717a67e3347feeaea

SHA256
20a3a8db560a8bc38521aa7ff5c2d677bdf33e2fcd9a7c6828cf6cbc6e96f438

SHA512
8006b1ef06875bcd33fed57c7460b72c9444c9cf4ea0d88569dd313315ff30a7e453e8796527973411ef2fc28d8a50074a3071559bce80f8cc471f4f2c809eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCEB7.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/4712-6-0x00007FFA80230000-0x00007FFA80240000-memory.dmp

Filesize
64KB

Download
memory/4712-18-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-0-0x00007FFA80230000-0x00007FFA80240000-memory.dmp

Filesize
64KB

Download
memory/4712-10-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-11-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-9-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-8-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-12-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-13-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-15-0x00007FFA7D930000-0x00007FFA7D940000-memory.dmp

Filesize
64KB

Download
memory/4712-17-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-7-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-16-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-19-0x00007FFA7D930000-0x00007FFA7D940000-memory.dmp

Filesize
64KB

Download
memory/4712-20-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-14-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-5-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-1-0x00007FFA80230000-0x00007FFA80240000-memory.dmp

Filesize
64KB

Download
memory/4712-529-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-584-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-4-0x00007FFAC024D000-0x00007FFAC024E000-memory.dmp

Filesize
4KB

Download
memory/4712-3-0x00007FFA80230000-0x00007FFA80240000-memory.dmp

Filesize
64KB

Download
memory/4712-2-0x00007FFA80230000-0x00007FFA80240000-memory.dmp

Filesize
64KB

Download
memory/4712-1087-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads