75d29a195dcd2809dad169a8189d64f088657cdcc433b6257437fb59477ddf84

General

Target

d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
Size

317KB
MD5

d7175428588d1bbc7bb95f9860951445
SHA1

40eb8f7dfa493828b8781746f542deb5b3a2fa0c
SHA256

75d29a195dcd2809dad169a8189d64f088657cdcc433b6257437fb59477ddf84
SHA512

735a904715b4c00feff2b7ec3e06c4251db3a5f98aa59d02793faafc310870b87601e2c3c267522b56b6abc6e4479ddfe3ca9c8c761c3130675c6105d487185c
SSDEEP

6144:Lwt/mic3+J2UIrW8SNChPniCPMozp+39u2UD3Iqti5:LwsicOQ3rW8vKxQ24Ymi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
584	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
584	svchost.exe
584	svchost.exe
1444	WINWORD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network balancing = "c:\\users\\admin\\appdata\\roaming\\svchost.exe"	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1444	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1444	WINWORD.EXE
1444	WINWORD.EXE
584	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1444	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1444	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1444	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1444	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	30
PID 1732 wrote to memory of 584	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	31
PID 1732 wrote to memory of 584	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	31
PID 1732 wrote to memory of 584	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	31
PID 1732 wrote to memory of 584	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2800	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2800	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2800	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2800	1732	d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe	32
PID 1444 wrote to memory of 1912	1444	WINWORD.EXE	36
PID 1444 wrote to memory of 1912	1444	WINWORD.EXE	36
PID 1444 wrote to memory of 1912	1444	WINWORD.EXE	36
PID 1444 wrote to memory of 1912	1444	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7175428588d1bbc7bb95f9860951445_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d7175428588d1bbc7bb95f9860951445_JaffaCakes118.doc"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1912
- \??\c:\users\admin\appdata\roaming\svchost.exe
  "c:\users\admin\appdata\roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\reqBB4A.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7175428588d1bbc7bb95f9860951445_JaffaCakes118.doc

Filesize
21KB

MD5
38dc77b0409d6f5c8c9a0f86a0bd6c4f

SHA1
a28505a65c8d241b90587908ace767598303c24d

SHA256
0406a9bdaa26ec290224ac9c32df747f36e36dd72c2182a87c05e0c6b6ec8125

SHA512
4214a7e1d56febea4f1baf875e6d261fee06ea0d1dcc3678211ffa0abcf8339fb145cb2f90565e5d24873c01d6b1ccf48a538e76f7e703cf94e2cc358cc2fd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqBB4A.bat

Filesize
184B

MD5
e92f053c7ba0292cff6690e9592a5380

SHA1
b39870044d1b0dcc12f8cfd94de7344b11ced172

SHA256
0e89acffcaede914895e188fa3e472f578a47a410ee83cb80d4e419425934c52

SHA512
f45b5b62e94528800541196559070ca774a3badea198204bc419e1f7c4831f248bfcb8413157fedb9ed494ff66be2b041605dd066e182c30f470e2214381a910

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
bc3794f392e4a8192585c83e3dbb34d2

SHA1
42388295d1052dacdd519dfdb3fd31b427336516

SHA256
3434701ad25ab041b144268df8b4134f5f0f621476eeef8795b994602a8ccd29

SHA512
a3fbe2aca41e71a7ef96d0a695eb021daa0462960f718a227c4e1e3e1be1669d01c523a0bfcae4872288effb63922c61945bebf29185f8a91ce0e5af4144f55d

Download Submit
C:\Users\Admin\AppData\Roaming\appmcs\sdt\tmp\txt.txt

Filesize
264B

MD5
bb667d024dc1233a589edef77e44ba90

SHA1
3ec62d9b5fdcd666dab5f839babd1bfa253d05d8

SHA256
e43f58bc10e0d40ff0895af1c4d3c5503f9f342e372e4ce484173af8094dc72c

SHA512
6460cc2f62ebf48eb3a8e52a84f7783ac4d073efd536d8b08652584d5eecbd5d7817d1c0a0447a08f16e939f5fe1b126da6afa76fc1beb877b5f2c98969eb934

Download Submit
\Users\Admin\AppData\Roaming\capt.dll

Filesize
47KB

MD5
73423c5c8e834b37eecf8ebb229e2b24

SHA1
3050d64ac85c900fc4553a5bfdb71b811eb28e5f

SHA256
8cad59ce82606c7fb1076f4f52392e11553bc116a9efd9868ff0415887f10c0e

SHA512
42d303e9bed98543a9a262b97acacf9b27112cbbc878bbc2e22ab5e28aaa38bdd9de0afd05f35c8416e1200c815a2189b1cd2dc1cee334321873b76097ebfe0e

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
317KB

MD5
d7175428588d1bbc7bb95f9860951445

SHA1
40eb8f7dfa493828b8781746f542deb5b3a2fa0c

SHA256
75d29a195dcd2809dad169a8189d64f088657cdcc433b6257437fb59477ddf84

SHA512
735a904715b4c00feff2b7ec3e06c4251db3a5f98aa59d02793faafc310870b87601e2c3c267522b56b6abc6e4479ddfe3ca9c8c761c3130675c6105d487185c

Download Submit
\Users\Admin\AppData\Roaming\svcph.dll

Filesize
6KB

MD5
48a3ef22a79daf69bddb3f256d9e0f5b

SHA1
5e8ece9b514b49e1943fae699df0597770595399

SHA256
0dbc31c8dcb8f2647295499b7a6ea9bce4701aa85622c1daf023275c691375f4

SHA512
e74f3a64874132021db84db26daabefdcc0b1aa395435b88b6f40679bfd87d6e426e734c5533be6cb923b6a53481bab788cb11a2010ab1206b1f82311ae0576c

Download Submit
memory/1444-11-0x000000002F971000-0x000000002F972000-memory.dmp

Filesize
4KB

Download
memory/1444-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1444-41-0x00000000712ED000-0x00000000712F8000-memory.dmp

Filesize
44KB

Download
memory/1444-91-0x00000000712ED000-0x00000000712F8000-memory.dmp

Filesize
44KB

Download
memory/1444-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1732-38-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads