eae36bf56595279d003b44de9e3b1c5ce81f5f07eeb6241a36fc4ce33b0636d1

General

Target

a4b96441ba6f4ade3d54a70430db662b_JaffaCakes118.docx
Size

84KB
MD5

a4b96441ba6f4ade3d54a70430db662b
SHA1

0d2931870db517b19656b9dbc0efc6d45737b499
SHA256

eae36bf56595279d003b44de9e3b1c5ce81f5f07eeb6241a36fc4ce33b0636d1
SHA512

b635052fe3ee4fa4cdea2ae5c4b7698c6f93889d3614164d8415ebab0876e26ca8844e57b0929a1684c5fd1653d4247d47df1e55ba5c05e92c7db877fef6a1da
SSDEEP

1536:BmS1WExOoRX51j1BPpoynaSlqx1JxpHj3Sc7g2Q58WH6LGNC:cS1XRJHB2yrlqx1Jxh3Sc7g2Q5vaqNC

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\files.catbox.moe\0azpj8.doc	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2344	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2344	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2344	WINWORD.EXE
2344	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2460	2344	WINWORD.EXE	32
PID 2344 wrote to memory of 2460	2344	WINWORD.EXE	32
PID 2344 wrote to memory of 2460	2344	WINWORD.EXE	32
PID 2344 wrote to memory of 2460	2344	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a4b96441ba6f4ade3d54a70430db662b_JaffaCakes118.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{93EEFB6B-14DD-4406-928D-D9C2CF10FA80}.FSD

Filesize
128KB

MD5
0ab6d4e27782f5b3468f2261b710887c

SHA1
f55bb0187e2bf353fd7e5a73ec277db7afcf5057

SHA256
49fb09c9ed5366e1db23ab33bcd6197693291f50034bab8ff0b902cc29418754

SHA512
73557ed99e958ec2e92bc573dab2cf894e6eaf24a66fabc1ecd58cf88e8cd7f27b2e7a6a2b7da269ed71c7be8d6ef88e645bcdfea144978057c7c4778f4875ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
e661292e21c3999d61635e436877f321

SHA1
cd2c2f33c5ead342d7a73e16f29d7fc2a9452614

SHA256
ec259f793e916df85dbdcd95b0b6f4d62a679380e2d9553c32a955c2a886569e

SHA512
73652e50a1f1338717d7ee9b12f19f448807c2691f4caa14de12c1026dfdc4aa4198a4313417d7961dbc40cf581dad9c045b7ad23753cbc7b6b2dbbef64a4c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6D82B43-BB22-412D-A75A-7FF2CF57740A}.FSD

Filesize
128KB

MD5
aee5a623a119dd0d943e1c9dbd1ec4d5

SHA1
7b41e068e14981390970a0512020b8e899284478

SHA256
f9a4337b7e2e0a039ee311ddc2715128878d0b1bebbaf3110cad822a1e1af815

SHA512
eded990cf2abb6564a92aaf4a8ec21a98c22325b2827b163ee53634cdf9e98e08b4fac286d2e00b890708211da87376df9f7a7a7692895454d7ab864bb56349c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{65FC404C-2F6A-4EC0-A301-7FC2429EFC62}

Filesize
128KB

MD5
7ebe4e2706883e50ada20cc7a4d435f1

SHA1
b3204ad05c3972e36d0de2809e4d2449caf45e50

SHA256
5c5c23f7bfa03ad4c28f1d150a882a4fef839dba1cfe0b3c8f5233f0b7b76456

SHA512
14b05f98bc95bd6f7cb5797c1d85af14a469d042859e9863acee64401e604fc864475ccb8c406f381e8fc4bfce12c1006b44cb3c908693295849547308ad6571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
91bc520b742ca3538aecb64c09521341

SHA1
dcb5f94689733611780423799bfd5fd6da5d1488

SHA256
9e1e7a4069c0153459eaf643258432a8727dda6907ad72b419af74d4af8d988f

SHA512
3dca16f1808ab944fabdefd15ab3efb360f1a5b26bb995cf0abac855b56656dec8061f882eb8e083a04b16bbacc49d26f351be8e473f8556fc09d8ebd76f5f18

Download Submit
memory/2344-0-0x000000002F091000-0x000000002F092000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2344-2-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/2344-7-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/2344-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2344-98-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing