8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e

General

Target

c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf
Size

2.0MB
MD5

c4b5c435640c8d3ff617c26aedc1ec71
SHA1

7e0fb054a5e79c923de01262b603d3bf3da06c25
SHA256

8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e
SHA512

f83687805172194210e8aff9a9bf32d968a6cedf79159be75bbb9b239260bbd605a08056d2424023aa547b36d7f994ae2257ca5c46fd5a37e8a186fb6aded944
SSDEEP

24576:gopSTEOUpl4BSSJQ3x1JKzpYP9zr7gR4mRSc02IcFN8pKKx72vQ7Tt2tQRn1f6MQ:2

Score

4^/10

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\exe.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\decoy.doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\task.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\exe.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\2nd.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\inteldriverupd1.sct:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf" /o ""
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{CF77569F-F56A-45CA-83FC-13228EDE8437}\exe.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
7802b6c1ffd07514467504062358bf88

SHA1
16c504b7728c05502462ef05222c6db222230c99

SHA256
0572256114f523ad666a9a87f6c4f5a161f3faf1217ab7cfe76a436b24fdd4bb

SHA512
ae401e18425a7514fc5ae53b99fe6cf98a9bd421c67865879ff2c47ba54e7eb3ed0e67b6e9f2cd2ede64991689e1c1faaecdef652791161746a7bff791382fc3

Download Submit
memory/528-7-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-78-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-4-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

Filesize
4KB

Download
memory/528-5-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-3-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-6-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-11-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-13-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-12-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-10-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-80-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-0-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-16-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/528-15-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-14-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-17-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/528-1-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-2-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-47-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-76-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-79-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-8-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/528-77-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/528-9-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads