e621ba0ba3faccdd9a821f8139aa31f05e65168a5d7da40b820ec953437e3ae2

General

Target

c28eb6e085af9f054731592297598211_JaffaCakes118.doc
Size

38KB
MD5

c28eb6e085af9f054731592297598211
SHA1

faf9ee2b95edf94a531162a4337f6e37164aed8b
SHA256

e621ba0ba3faccdd9a821f8139aa31f05e65168a5d7da40b820ec953437e3ae2
SHA512

ca684a7d36b0bed254c354c31ddf1c637ccba083d556046a8e93004a01062d68af1945482d2d4f340f0d5b685d9349e0821f3ee3f5b43c87dc4dc3ad74a8d546
SSDEEP

384:3wHTZzB1MdBmr2PhCTCQqgR1JsHEj2VjiBHZntODXMep:KTZB1MdArOC5mVji9O5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2928	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	WINWORD.EXE
2928	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1232	2928	WINWORD.EXE	29
PID 2928 wrote to memory of 1232	2928	WINWORD.EXE	29
PID 2928 wrote to memory of 1232	2928	WINWORD.EXE	29
PID 2928 wrote to memory of 1232	2928	WINWORD.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c28eb6e085af9f054731592297598211_JaffaCakes118.doc"
1⤵
- Deletes itself
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B95B707E.wmf

Filesize
880B

MD5
0522d8dcdc9860ea7f4b9966c5d466b9

SHA1
7dd16a4d0159a3c2bc81fdb7893a0ebdf925bdc1

SHA256
80742dade91f8c7521277ea827aa93e8a13d100997a24f9afb4e3568224cb8d0

SHA512
0ab2c5abbf5823d36d452440d1f0d8dd1e0f297855dbb8536de9eccad29e62c2585f81fd2f3f6e804221421f011482b10f402645ae0784dd550269452c5c6c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrQ

Filesize
3KB

MD5
f249804021fdd5a000cea484e1b573fd

SHA1
d8aab88a32a74cfa6cd23be7d193dd3cbf5c37fe

SHA256
f5f2e0bdbb84568cb0a1503fe3d2f2742c13b2f3f41c6884f6fd61ee6beb8d44

SHA512
5aaeca8265ec8c84eaf296a84fcfc6f932df7d25e209ef5d36d6fbadb108a9d9078c1b35575909cedce954667ac7758914ca5891ad1e7840470694c53fba7d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
43KB

MD5
8da5a1f3fbed09bf4e110c2227c859a9

SHA1
babb91f91f24c83ca5b440a1957454b595f744e0

SHA256
32f42a8525c0f38cb33f21e62265c516c60c317bbfc69a91cefce41462c32527

SHA512
a497b3625dc7b9be88cbf06e07d859b5b6387d6ba5fae77344e6a6e9bb4a12254b9ff3d3a6772603512ca06c3564892b8d83fade08c0e9791df67266d5850aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
27KB

MD5
abc224dd7378239f5b45c055df20fb76

SHA1
66d6d6bbd9f2f33ceac80bc0b5d0b9334afd8a29

SHA256
7b82a088e8dd956839e4c6e05eb8b11f436d6ec513712cfba7406f51b222dc9b

SHA512
6592db4ba23e8fc722a874db4281d633e68ae26e50f5f3360fe450000a911ddd48dd55360cf4d1b012c7b2cb24ef2b086f4112df774f9516d61d844ff2cf660a

Download Submit
memory/2928-56-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-44-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-43-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-23-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-0-0x000000002F8C1000-0x000000002F8C2000-memory.dmp

Filesize
4KB

Download
memory/2928-22-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-2-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download
memory/2928-80-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download
memory/2928-81-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-82-0x0000000006B40000-0x0000000006C40000-memory.dmp

Filesize
1024KB

Download
memory/2928-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2928-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing