3fb7fa64211d1a218fc59ad674642205960982542f9796cc792e983c8145b9ef

General

Target

e6e617104652143d836afe8d61366a17_JaffaCakes118.rtf
Size

519KB
MD5

e6e617104652143d836afe8d61366a17
SHA1

27afd3fc8aaa43b82a15366c05f8130a573aef78
SHA256

3fb7fa64211d1a218fc59ad674642205960982542f9796cc792e983c8145b9ef
SHA512

3a69f5719dc29f832484a2e413f0b2addd542c579c39b0fe300568fe25ce4e28777672da2d16469f4a0fe007f212056e0f4859b56740bf5b3fe06d313f6d8504
SSDEEP

12288:FDPhnwaTe1Mx/MF3ObXAdnT5vzwDEZpxkS3d:xhnTTeeEqYlvOm

Score

4^/10

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\exe.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\task.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\exe.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\2nd.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\inteldriverupd1.sct:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\decoy.doc:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3232	WINWORD.EXE
3232	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3232	WINWORD.EXE
3232	WINWORD.EXE
3232	WINWORD.EXE
3232	WINWORD.EXE
3232	WINWORD.EXE
3232	WINWORD.EXE
3232	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e6e617104652143d836afe8d61366a17_JaffaCakes118.rtf" /o ""
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{851E43BD-0E43-4A59-AD51-2362552F4300}\exe.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8fef4a6cc7d6f124534f28e19f7185fe

SHA1
1d50c5459c91938843cf75ede01e93bc9de5054a

SHA256
767e09ea70016d37f921164073dafc4140b1b1480ab5a31eb87f5d53d8100b96

SHA512
ba594bdb5f5cffdc3697393bc87780e5c7494f6f3f0134e1e6da3c620c10bc142b48490a1d72509bdd296c8700982d7e8abd4c3c1f8b28c99014f1c50725c72b

Download Submit
memory/3232-7-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-14-0x00007FFC161C0000-0x00007FFC161D0000-memory.dmp

Filesize
64KB

Download
memory/3232-5-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-9-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-11-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-12-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-10-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-13-0x00007FFC161C0000-0x00007FFC161D0000-memory.dmp

Filesize
64KB

Download
memory/3232-8-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-1-0x00007FFC5850D000-0x00007FFC5850E000-memory.dmp

Filesize
4KB

Download
memory/3232-6-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-4-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-3-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-36-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-37-0x00007FFC5850D000-0x00007FFC5850E000-memory.dmp

Filesize
4KB

Download
memory/3232-38-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-39-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download
memory/3232-2-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-0-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-82-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-85-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-84-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-83-0x00007FFC184F0000-0x00007FFC18500000-memory.dmp

Filesize
64KB

Download
memory/3232-86-0x00007FFC58470000-0x00007FFC58665000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads