1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2

General

Target

2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
Size

167KB
MD5

2d04929a36bfaf6d69e76c75a81ee427
SHA1

d02616098812273a3baf2f0af0eb5bb0cc6e6b44
SHA256

1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2
SHA512

d1bbfba2ce008f560a4cef6e1ef295c5833e684935632bb4918ca3e6d00d8760d18484b68699c4b72cc801081d62ce46597b6fab4bb02b439053084947562f48
SSDEEP

3072:swA7rZCG4AtCGMbqSEmvbTD/h2+uZXWyPumWZ7jXI8ybu:sBH+vL/h2jz7WFjXIXC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1336	DOCtoEXE.exe
1592	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
1336	DOCtoEXE.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCtoEXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
264	WINWORD.EXE
264	WINWORD.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2180	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
1336	DOCtoEXE.exe
264	WINWORD.EXE
264	WINWORD.EXE
264	WINWORD.EXE
1592	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1336	2180	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	84
PID 2180 wrote to memory of 1336	2180	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	84
PID 2180 wrote to memory of 1336	2180	2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe	84
PID 1336 wrote to memory of 1592	1336	DOCtoEXE.exe	92
PID 1336 wrote to memory of 1592	1336	DOCtoEXE.exe	92
PID 1336 wrote to memory of 1592	1336	DOCtoEXE.exe	92

C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\DOCtoEXE.exe
  C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\DOCtoEXE.exe cmd/CallFromZipBase /C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe /156114 /171978 /C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\ /
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe cmd/del /C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1592

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d04929a36bfaf6d69e76c75a81ee427_JaffaCakes118.exe

Filesize
167KB

MD5
2d04929a36bfaf6d69e76c75a81ee427

SHA1
d02616098812273a3baf2f0af0eb5bb0cc6e6b44

SHA256
1339f665e134a0ccdaaad982fd8c4abd6974af29f8b447dfa7fc92eda9849ab2

SHA512
d1bbfba2ce008f560a4cef6e1ef295c5833e684935632bb4918ca3e6d00d8760d18484b68699c4b72cc801081d62ce46597b6fab4bb02b439053084947562f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\DOCtoEXE.exe

Filesize
140KB

MD5
308b594351ac2524bf91c01d02dddc3e

SHA1
3fa31b46fb0ff4674a32cccc92c9a3cc69b43b9c

SHA256
a3009ac5d7cf984a83ae099b77c2575663fc47702dc75b2c195b97fb6f07cf91

SHA512
7e8d796c618bdfa10d982c5b4b0da0783ae43171cfc1e383ac3ee1b49a8257fedadb04db0e367005f87596afcedcbd712d84c7f9fdda2f94096006859921f2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\DOCtoEXEtmp\Ebib01.doc

Filesize
44KB

MD5
bc3c12b28a333cf1b74ea0c0b8e3a64c

SHA1
60f9f155335d59a32c08c7cc4c3a6ec23641ba83

SHA256
286a1c9e52bb626d7a0abb9fc94d9e24ea52bab3d8efad3356d3a83782e9a030

SHA512
813f65d4f5a9c2b1f4ff5f88b5b3709faa433e1d1d36d894eed5886b7039594cc7d91aea6dc605376b5fb170bd6d3826237054441805c816acc598b0aa6d219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCtoEXE241009183024_tmp\zlib123.dll

Filesize
72KB

MD5
4efaa53c545f4ffb1ee0ed1709c15ea7

SHA1
076b2d31e24fe8cfb56f9c292fd6ca1402be79b2

SHA256
21582b3a68e8753322a1b1c7e550ae7fd305de4935de68fbde9f87570f484d00

SHA512
7fa8c0954729ea14fdceb788393c3de6e139fc4c480b84183863f62afacec2d6bbc0993b601a4a74c87bc89338b627dc37a18be309d090bae880ea10ab9d7314

Download Submit
memory/264-34-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-42-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-30-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-31-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-33-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-32-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-37-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-39-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-36-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-35-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-28-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-38-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-40-0x00007FF9F0010000-0x00007FF9F0020000-memory.dmp

Filesize
64KB

Download
memory/264-29-0x00007FFA3232D000-0x00007FFA3232E000-memory.dmp

Filesize
4KB

Download
memory/264-44-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-43-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-41-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-45-0x00007FF9F0010000-0x00007FF9F0020000-memory.dmp

Filesize
64KB

Download
memory/264-73-0x00007FFA32290000-0x00007FFA32485000-memory.dmp

Filesize
2.0MB

Download
memory/264-71-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-72-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-70-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/264-69-0x00007FF9F2310000-0x00007FF9F2320000-memory.dmp

Filesize
64KB

Download
memory/1336-24-0x0000000000540000-0x0000000000567000-memory.dmp

Filesize
156KB

Download
memory/2180-7-0x0000000000630000-0x0000000000657000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads