3fa48b06f283280e7e0e742325e7cf36be9892611a230ad3d867b3ab8066d6f1

General

Target

aa9524d11c23c4ec73dac7e4ad345283_JaffaCakes118.doc
Size

242KB
MD5

aa9524d11c23c4ec73dac7e4ad345283
SHA1

8a41489da83b93573e513e0f0be749944daabce6
SHA256

3fa48b06f283280e7e0e742325e7cf36be9892611a230ad3d867b3ab8066d6f1
SHA512

f56e14de95b06e0e9c366a7c2d92561c0f03a24bcb14bd913d95dadccf1a31b7b04b89adda9ba1ef777102e978b3ac8e398bdf583333c6f2c5d613fe19061d8f
SSDEEP

3072:mvw9HXPJguq73/IKBWyvUdSCQaPI0cj+C3:mvKHXPJi73wASUCQr9x

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3272	WINWORD.EXE
3272	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3664	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3272	WINWORD.EXE
3272	WINWORD.EXE
3272	WINWORD.EXE
3272	WINWORD.EXE
3272	WINWORD.EXE
3272	WINWORD.EXE
3272	WINWORD.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa9524d11c23c4ec73dac7e4ad345283_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5481836F-56BA-42A2-86BB-DB5DFA4AAB3F

Filesize
170KB

MD5
a09a8d1bb23749bcea6ff870244aeabc

SHA1
ddd1f1eb52b3f4a2a38e87f243cd04d29a468855

SHA256
f4a0f65835924ca70686c02e8d1be91e2ffbe714ff42c7bd9742d5884f8ffacd

SHA512
16bfb97aeb1b7afd8750b393e7eec47da52fe4b8ee969f0d9f0d33c99c420d4f490ea15978dae2132560d94efc644169c607cdebd363025e22591d8175e38611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ea9d709afdcc35b7a71b606a3f63cb62

SHA1
8e0f11503f3060a2819be1d99006a1ea9cef0e57

SHA256
9662a759b7f0aae626d8eb46b85b624343d8ac8dc09c7007669c14835a3acb44

SHA512
40b5dc3f863808bf6d37d97f2c53b7fef6ddba2ab73cbc29410d74cbf2ac7359ea10d31bdc3b518796a59f01027c9657f875f6e19562090c30ca75d4e45e55c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
69079173904d9a368823e532b274285d

SHA1
1f64e47917d54c72830d065f37509c9066053160

SHA256
f74c29353635178fae7bd3bc0b63861380e612a0fa51afb8af7cd8e250e87b91

SHA512
9c3b43daf2fa7d3c50437083444656dd4702ad4c5d7f0c6dcc3433e43fdb61916ae3aa4f4ced7e6559aec125fb592c4bceb79c4841d5955cea29691193695373

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA5D1.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/3272-7-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-15-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-10-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-9-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-12-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-11-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-13-0x00007FF95F810000-0x00007FF95F820000-memory.dmp

Filesize
64KB

Download
memory/3272-1-0x00007FF961870000-0x00007FF961880000-memory.dmp

Filesize
64KB

Download
memory/3272-14-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-8-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-16-0x00007FF95F810000-0x00007FF95F820000-memory.dmp

Filesize
64KB

Download
memory/3272-6-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-0-0x00007FF961870000-0x00007FF961880000-memory.dmp

Filesize
64KB

Download
memory/3272-34-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-2-0x00007FF961870000-0x00007FF961880000-memory.dmp

Filesize
64KB

Download
memory/3272-568-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3272-4-0x00007FF961870000-0x00007FF961880000-memory.dmp

Filesize
64KB

Download
memory/3272-5-0x00007FF961870000-0x00007FF961880000-memory.dmp

Filesize
64KB

Download
memory/3272-3-0x00007FF9A188D000-0x00007FF9A188E000-memory.dmp

Filesize
4KB

Download
memory/3272-1068-0x00007FF9A17F0000-0x00007FF9A19E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads