1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2

General

Target

2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
Size

167KB
MD5

2d04929a36bfaf6d69e76c75a81ee427
SHA1

d02616098812273a3baf2f0af0eb5bb0cc6e6b44
SHA256

1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2
SHA512

d1bbfba2ce008f560a4cef6e1ef295c5833e684935632bb4918ca3e6d00d8760d18484b68699c4b72cc801081d62ce46597b6fab4bb02b439053084947562f48
SSDEEP

3072:swA7rZCG4AtCGMbqSEmvbTD/h2+uZXWyPumWZ7jXI8ybu:sBH+vL/h2jz7WFjXIXC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2428	DOCtoEXE.exe
2948	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Loads dropped DLL 6 IoCs

pid	Process
2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
2428	DOCtoEXE.exe
2428	DOCtoEXE.exe
2428	DOCtoEXE.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCtoEXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2156	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
2428	DOCtoEXE.exe
2156	WINWORD.EXE
2156	WINWORD.EXE
2948	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2428	2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2428	2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2428	2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2428	2908	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2356	2156	WINWORD.EXE	33
PID 2156 wrote to memory of 2356	2156	WINWORD.EXE	33
PID 2156 wrote to memory of 2356	2156	WINWORD.EXE	33
PID 2156 wrote to memory of 2356	2156	WINWORD.EXE	33
PID 2428 wrote to memory of 2948	2428	DOCtoEXE.exe	34
PID 2428 wrote to memory of 2948	2428	DOCtoEXE.exe	34
PID 2428 wrote to memory of 2948	2428	DOCtoEXE.exe	34
PID 2428 wrote to memory of 2948	2428	DOCtoEXE.exe	34

C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\DOCtoEXE.exe
  C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\DOCtoEXE.exe cmd/CallFromZipBase /C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe /156114 /171978 /C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\ /
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe cmd/del /C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2948

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\DOCtoEXEtmp\Ebib01.doc

Filesize
44KB

MD5
bc3c12b28a333cf1b74ea0c0b8e3a64c

SHA1
60f9f155335d59a32c08c7cc4c3a6ec23641ba83

SHA256
286a1c9e52bb626d7a0abb9fc94d9e24ea52bab3d8efad3356d3a83782e9a030

SHA512
813f65d4f5a9c2b1f4ff5f88b5b3709faa433e1d1d36d894eed5886b7039594cc7d91aea6dc605376b5fb170bd6d3826237054441805c816acc598b0aa6d219e

Download Submit
\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Filesize
167KB

MD5
2d04929a36bfaf6d69e76c75a81ee427

SHA1
d02616098812273a3baf2f0af0eb5bb0cc6e6b44

SHA256
1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2

SHA512
d1bbfba2ce008f560a4cef6e1ef295c5833e684935632bb4918ca3e6d00d8760d18484b68699c4b72cc801081d62ce46597b6fab4bb02b439053084947562f48

Download Submit
\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\DOCtoEXE.exe

Filesize
140KB

MD5
308b594351ac2524bf91c01d02dddc3e

SHA1
3fa31b46fb0ff4674a32cccc92c9a3cc69b43b9c

SHA256
a3009ac5d7cf984a83ae099b77c2575663fc47702dc75b2c195b97fb6f07cf91

SHA512
7e8d796c618bdfa10d982c5b4b0da0783ae43171cfc1e383ac3ee1b49a8257fedadb04db0e367005f87596afcedcbd712d84c7f9fdda2f94096006859921f2db

Download Submit
\Users\Admin\AppData\Local\Temp\DOCtoEXE241009182941_tmp\zlib123.dll

Filesize
72KB

MD5
4efaa53c545f4ffb1ee0ed1709c15ea7

SHA1
076b2d31e24fe8cfb56f9c292fd6ca1402be79b2

SHA256
21582b3a68e8753322a1b1c7e550ae7fd305de4935de68fbde9f87570f484d00

SHA512
7fa8c0954729ea14fdceb788393c3de6e139fc4c480b84183863f62afacec2d6bbc0993b601a4a74c87bc89338b627dc37a18be309d090bae880ea10ab9d7314

Download Submit
memory/2156-29-0x000000002FFB1000-0x000000002FFB2000-memory.dmp

Filesize
4KB

Download
memory/2156-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2156-31-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2156-34-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/2156-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2156-44-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2428-33-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing