fc5402c5b704b7e3a60a662ac119b3503e1cb185c58da0064dfb9fdc2b097a44

General

Target

bc3891b9029229e2af500c6600cad6a6_JaffaCakes118.docm
Size

166KB
MD5

bc3891b9029229e2af500c6600cad6a6
SHA1

dd3e26001d98b3bc2faf912c401bc5c5bbac31ba
SHA256

fc5402c5b704b7e3a60a662ac119b3503e1cb185c58da0064dfb9fdc2b097a44
SHA512

237a7bd2b97adcf67f0dce3046bf0a33b798dd9a16e78c5fce840145459df5d59c79b360e321b6d880a387b258e88a98f0c29d746db8329456a86183f4365504
SSDEEP

3072:UyvES1XRJHB2yrlqx1Jxh3Sc7g2QhxmKiIrUl9ugcnSE4BcyYbbSa5haq6Z:UysmXReuGJ3ZsqK5UknSnbghC

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.ly/2L17QGqloading	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3032	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	WINWORD.EXE
3032	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2640	3032	WINWORD.EXE	33
PID 3032 wrote to memory of 2640	3032	WINWORD.EXE	33
PID 3032 wrote to memory of 2640	3032	WINWORD.EXE	33
PID 3032 wrote to memory of 2640	3032	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bc3891b9029229e2af500c6600cad6a6_JaffaCakes118.docm"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8C85893B-0319-422D-959E-BD14AC54FAB9}.FSD

Filesize
128KB

MD5
f5dfa5724697ddc5602ed2a0f7a79010

SHA1
ba96925d1527ec97ef35a6fc4d4f1b3a31e67f61

SHA256
ee87a6496e1b9e9fe7567708abc8fcae756552cc648acc5aa702547917587263

SHA512
6b5afbdad9e1229da19a6cf0f4c57af14870685288aa85b4599cf292eed11034fae2d84f587de2df85878142c05fe28ee77fa0df6f9b241d9b94236a91c3843c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f133a9e02ef17816f81f53eeb8bde2c1

SHA1
b78ee0dcda5d00e61ac6b52c64fb6f0a361ee0db

SHA256
665643a38ae6a5c328a4a053b808c01d73a2b0a03b1b61c4e1fbef6229f0afd2

SHA512
0c891511f720dc3f55e8eb58e899e0d86d92c9840751ecd92707650674a94cfdf62a260b14ca10fb8465ec0f5f3128f067d7e878b509571aea14dc6623e07ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{36AC0B2E-D946-4CB5-97EB-35D677ED52D8}.FSD

Filesize
128KB

MD5
443b8ee013817bd8074c4a44480f0157

SHA1
966417edb127b3f70441f2067b93e9553160cbd5

SHA256
02accbea6a699f883fd50000795ab0a749d990a23aa5b6e14493841ecd63d289

SHA512
eeb3171ba41b70a2715c5ed0a0e77bf9b3689f444cd632f74beb334e42ad3f0bdac237a12b412a52470d23323f92ec1a3a4f45f575601df29f02bea9e02143f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DD23176A-5121-4323-89C3-F35BE1F8D892}

Filesize
128KB

MD5
403a36cc347530249ef9579f6da1b77f

SHA1
c340f6150a8db0f29f99b59f2e6b849525febee6

SHA256
630db4e4404380e00462b393d55b76052c2b130cd53bdbfcea63f8b31cce36f9

SHA512
86d24d596e51208a707bb8abaf5e732602c1624e994131d18016c69d1d8d97d98fd990ebce86afa651e8614b5b04c9bed843d22be4da2b1ffa911b93fb3550c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
8ac0c217e08441956605177395382d57

SHA1
4cb0b370fabc47a436ed488174c00274f44ea5c2

SHA256
2354090dc71b5c8f829ed48defed7685f9ef9b5ee35464db31fe73b8b4736828

SHA512
b73e7f2f5dd33938dc11b9916342ef6591a13fc84619f61dbe2caa3c273bf8a515e157f49d111aca74ae1398eb9f0aa4a42e8a3ea185fa3fd1e3b56ac0fec884

Download Submit
memory/3032-0-0x000000002F1B1000-0x000000002F1B2000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3032-2-0x000000007091D000-0x0000000070928000-memory.dmp

Filesize
44KB

Download
memory/3032-67-0x000000007091D000-0x0000000070928000-memory.dmp

Filesize
44KB

Download
memory/3032-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3032-91-0x000000007091D000-0x0000000070928000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing