7e348cbf0bb85b15e9f742193f2073ad5cd0cda176a4f0da91a947f9bcb54b6b

General

Target

de0d8b18c966010991edbdb758bbbdb6_JaffaCakes118.doc
Size

151KB
MD5

de0d8b18c966010991edbdb758bbbdb6
SHA1

c31795d52a9350f9c9189d4cf5c3180b53dd45a7
SHA256

7e348cbf0bb85b15e9f742193f2073ad5cd0cda176a4f0da91a947f9bcb54b6b
SHA512

09db5b59600f1ee7c09ef784aa69a95d602df2e22ea30a622b41d2328b3c3914cb6a9b846be17e53bec95879a9b10ad770e663d8cda79b6d0a471d8c1c2714e7
SSDEEP

1536:8H1DB445TEgrO3jSWAg83tle1ZZ0293QM0eetR2cOupLB5UZ5J+a9DiYFHC3qoXe:O22TWTogk079THcpOu5UZJVdCVtBQoy

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1740	316	DW20.EXE	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwwin.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1740	316	WINWORD.EXE	88
PID 316 wrote to memory of 1740	316	WINWORD.EXE	88
PID 1740 wrote to memory of 1916	1740	DW20.EXE	89
PID 1740 wrote to memory of 1916	1740	DW20.EXE	89

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\de0d8b18c966010991edbdb758bbbdb6_JaffaCakes118.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4652
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 4652
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-16-0x00007FF909920000-0x00007FF909930000-memory.dmp

Filesize
64KB

Download
memory/316-30-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-3-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/316-2-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/316-1-0x00007FF94BB4D000-0x00007FF94BB4E000-memory.dmp

Filesize
4KB

Download
memory/316-7-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-5-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-6-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/316-4-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/316-10-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-9-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-13-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-0-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/316-74-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-8-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-12-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-11-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-17-0x00007FF909920000-0x00007FF909930000-memory.dmp

Filesize
64KB

Download
memory/316-29-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-15-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/316-14-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/1740-55-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/1740-72-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/1740-51-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/1740-70-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/1740-69-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download
memory/1740-73-0x00007FF94BAB0000-0x00007FF94BCA5000-memory.dmp

Filesize
2.0MB

Download
memory/1740-71-0x00007FF90BB30000-0x00007FF90BB40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads