edd7f442f0c78778862182c07d7b806945e8fb608a762f7315238feae5c204be

General

Target

7571d9ebe44a17948813969147243a5d_JaffaCakes118.docm
Size

380KB
MD5

7571d9ebe44a17948813969147243a5d
SHA1

3311297aa96c9ed1a9898d4da9457c09bb5e0cf0
SHA256

edd7f442f0c78778862182c07d7b806945e8fb608a762f7315238feae5c204be
SHA512

02ec09b665b1aa8f7cc4699eb9017b11b5443b8e0784e50a2296f2cd145055bc9c347d27620ee6ae4cfeaefd7db7967de143463b08eef6109bad5553d032330a
SSDEEP

6144:Zyil1s8HsDsXAYeTkpoCz7JQ/Qn0uTSuSxUaymnfhZO+dfOfnprGM12q:kaBYs1pok7q/Qn0ubDGf5OfprB1/

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\loadingxxxx	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2556	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2556	WINWORD.EXE
2556	WINWORD.EXE
2556	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1980	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 1980	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 1980	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 1980	2556	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7571d9ebe44a17948813969147243a5d_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
5644ac78709ec9690fd091e35fded65a

SHA1
1abfacf3ca6c344d2086246084710f9ce0a9f59d

SHA256
47d456274b4049978f0dae386b3c7c7bb96d597547ab0543520825add5d1921d

SHA512
f471bb109adedb7c8cdaccf41f15b0c33b4ffe6e2997822ae561a1aed9796c7b676711b922d3d417a2396c219365e8bbfc8a7f37cabe9a31127d34185f9757ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4686328C-85E2-47BD-BCF5-445A19D4F03A}.FSD

Filesize
128KB

MD5
b0800c1910b1bfa91869956d2a8cefb1

SHA1
78dc72a15d6c802164d197014b6689fe14114741

SHA256
726a3e844b769bdd7d6a50b7cdcd70f25cc583204e1fb8cf27fa268f55d1c302

SHA512
fb6dbfe7237bc467aadf7cc01c2c1d9ec06d18dbc4e42d35d173e582814a0bd6c262eb02a9c6f2d1d6f8262fa046df4b3916dae0598a76ac4161547a79a45d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
fb98cc9f32a78d92319e31ab170d85c2

SHA1
8239ddc949dcf93f010e34c55b8449d2a72c7c59

SHA256
2f7f2609b442d0c710b649ef2d1ff6be236df8f00a9673647a01b2c97aca3efc

SHA512
a54330002cb06045274cffd13e4e61b3c104b808a1b864d395c534d36c70783203e65351d9b0a97b156e17f61b33f7d2bde83ee151d9f7c812d3479dd3a1af5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3136404C-C218-4436-B081-D651807E098A}.FSD

Filesize
128KB

MD5
23496cf62ff6c06e37408799054fe1c3

SHA1
6440cbbcea7ab979c17cfb7c042df299d481ee18

SHA256
b304f326d60736f8c1abf44c3c9c3b17fa34e9996ad043ed92e9b56640f901d6

SHA512
42bf2ba50422eb22d44a2a41ed3fe147f0510fc46c1950a3965dc5e72b3be74df944c4bc4f9981dcd468072f7f0090e248fdf0fa4044e73bdccf8181216403ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\loadingxxxx[1].htm

Filesize
5KB

MD5
caaa86e2e815c1258e9e76ac42f12b88

SHA1
5b227fe8a62e681b474fdaec0e726d3114a0f1b4

SHA256
79f421ab2115223b265dfacfb5a5b61f09e631c9b281db463984409273954c38

SHA512
cd8a1ea09b69b1be6afa184c0e8dbb76c13a77225b7425f44f28c1459e132ff179d04cea8c9c636c1e56c22b960e88a598854b307d855a93bacc4ad873a78797

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60D13450-6D97-4AA1-A201-B3614D7CB647}

Filesize
128KB

MD5
0ba42c6627c6d4355a6fff4c261f8ad1

SHA1
ed14310d9813eae94a0557f1db917bcffc20500b

SHA256
48be4391e5173d4f3f47ce5e2460778736f1441f56e298b9d24a01f9d61916bf

SHA512
9b9a3839373a6940b42d39d526eae890ce1bdd358e17d20bedb30a230b36ccdc4d23de0b08baa7449867244391b08f0b26e7a0f7c0e13db170a1cd1926a21b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
619f4f3914b11277af2f9ffcfca83cb6

SHA1
02dff4f7dcbfbd2bcc35c7056d35853bb92c1b01

SHA256
43f8c0e6ec067c53a69164324ae4d3a4d8f3a881cc740e9503b14bd27d88994d

SHA512
468730701947e3a53f32598ced457b8e81bc90ed21e721b392f2c2d53e622f8d8950f8f79675bc8ceff061e628bf5c18b6a8f9f01a9db26d72402af977e951f0

Download Submit
memory/2556-2-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download
memory/2556-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-61-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download
memory/2556-0-0x000000002F181000-0x000000002F182000-memory.dmp

Filesize
4KB

Download
memory/2556-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-118-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing