1efcb8ddb6246637001b794cb8bfe43da0744576ee9ab4b8f2419e46ca272587

General

Target

8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe
Size

126KB
MD5

8a0af8ab9cf89b2d660bff560c5f5f46
SHA1

76d5be5818045b73eec6bcda3f5d2b3c33d86cda
SHA256

1efcb8ddb6246637001b794cb8bfe43da0744576ee9ab4b8f2419e46ca272587
SHA512

4cfb004302e8c9d17d9d190bc822a48a17b5fb9af96dc3c092a22673b675d5e07ee394afd7391db0582e704564c6dce8434e0c074d9889cbafae5719f0811f69
SSDEEP

1536:pTWhwiiehaL5o7F4iKEFXvx9oFqWGVYL4442N:pEvrwL5oJ/XUdb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1848	cmd.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1600	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1600	WINWORD.EXE
1600	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1600	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	31
PID 2460 wrote to memory of 1600	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	31
PID 2460 wrote to memory of 1600	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	31
PID 2460 wrote to memory of 1600	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	31
PID 2460 wrote to memory of 1848	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	32
PID 2460 wrote to memory of 1848	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	32
PID 2460 wrote to memory of 1848	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	32
PID 2460 wrote to memory of 1848	2460	8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe	32
PID 1600 wrote to memory of 2656	1600	WINWORD.EXE	34
PID 1600 wrote to memory of 2656	1600	WINWORD.EXE	34
PID 1600 wrote to memory of 2656	1600	WINWORD.EXE	34
PID 1600 wrote to memory of 2656	1600	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a0af8ab9cf89b2d660bff560c5f5f46_JaffaCakes118.doc

Filesize
64KB

MD5
14d89b01e02b983200236870d838a294

SHA1
3bf0cc8234faa89f16cf1484e3f94c7006ae550d

SHA256
785bac524e4abb800df4e6341ee234558a9b46f31d8f675370566c2e7a92cf2e

SHA512
3d8b6fb4940a1f35ea7c972ee0a9094b43363245d9f3e860f3feaea760de73beea6e536364c5fd0152cd3b8cf55d0756e2345e0c34e4c443d98645d7293ee4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
9ee0c5e8917653b544d2d171076bc46b

SHA1
d175671fbf0a64c947dd57b3d20a4cee42ed299b

SHA256
0c24638aa565746cc0f71ffb38002a4865cd14924fd9536c622074208299a94a

SHA512
57ea08459cabeb9e91255beb820e3ffd916c0f3926a92c3c8cbfbd3bdeb0fb94ca0076908da704041852607a4473c3a7179df73069c46336ce922d0759172441

Download Submit
memory/1600-6-0x000000002F021000-0x000000002F022000-memory.dmp

Filesize
4KB

Download
memory/1600-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1600-8-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/1600-16-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/1600-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads