dfce1d462c53941da0f1d933698bb705c792f9f878f0a6820397e3f7209ea0b5

General

Target

8b9eaf7a43033ddcada3788878d60665_JaffaCakes118.docm
Size

382KB
MD5

8b9eaf7a43033ddcada3788878d60665
SHA1

29387bd86769349d09e65ab685a17eb8759b1bc2
SHA256

dfce1d462c53941da0f1d933698bb705c792f9f878f0a6820397e3f7209ea0b5
SHA512

b74351062e01f8f50dc7407797149e8b19a0e8228ce7ea645280461d673b6f98d87cb6ebc24320c481143a36e8dc7789dab165f01735357917784e8d7f35bd97
SSDEEP

6144:4/2GQYO2wfyqUBDD5LpUuTSVbkecVQYP3yil1s8HsDsXAYeTkpoCz7Jcp:4+RaqUBDDppUugqiYKaBYs1pok7ip

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\2HloaderqVbva	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
992	WINWORD.EXE
992	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	992	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b9eaf7a43033ddcada3788878d60665_JaffaCakes118.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EF419F15.emf

Filesize
39KB

MD5
c2485d9ae8e561a192571bc6a1285725

SHA1
5547d74bc1ef2ddc668398f07ca34d6b6ad2393c

SHA256
5c3e2dd465a682f147a42238021c54ca029774971f6738d680443af925381166

SHA512
be629b38d008fd7abb6285797dcf6164df09a4f3fd43449f8b49e9bcf9c9270f4795f6fc00b43fe074418099d0a1a7b90d576c9b5d628b8191c8bfcf5cebba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF1C.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
31beb9fe608909287ad2f6d1e13726b8

SHA1
6d3ed9e2d2b48037a5ba607cc1d672168edec1c8

SHA256
a3293bf7f8e3d3bf9ad3b1fd2844b24f81079fca8ce30765dda70c5c33fdb237

SHA512
e5689afa1e9d92a1994b5ecc20483ca1233c1c75c52a866c4cc75aa9413fd438b83e278be05f64fb19f9e4f2e124ceda95d32df8fefff094b27d389114f047dc

Download Submit
memory/992-19-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-63-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-4-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-9-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-10-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-12-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-13-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-11-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-8-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-7-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-6-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-14-0x00007FF8565F0000-0x00007FF856600000-memory.dmp

Filesize
64KB

Download
memory/992-17-0x00007FF8565F0000-0x00007FF856600000-memory.dmp

Filesize
64KB

Download
memory/992-0-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-1-0x00007FF898C6D000-0x00007FF898C6E000-memory.dmp

Filesize
4KB

Download
memory/992-15-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-18-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-5-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-2-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-16-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-64-0x00007FF898C6D000-0x00007FF898C6E000-memory.dmp

Filesize
4KB

Download
memory/992-65-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-66-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download
memory/992-3-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-208-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-209-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-211-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-210-0x00007FF858C50000-0x00007FF858C60000-memory.dmp

Filesize
64KB

Download
memory/992-212-0x00007FF898BD0000-0x00007FF898DC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads