0a0dd626cf0198bf3c0ab3e02a69c457d03c11694a45d0867bdff7db7804c0e2

General

Target

2d9e2dafe65b5503fbce184872aa87fb_JaffaCakes118.exe
Size

21KB
MD5

2d9e2dafe65b5503fbce184872aa87fb
SHA1

6f5cf4c80cc86bff3f78ef7de9b8809a5d72d0d9
SHA256

0a0dd626cf0198bf3c0ab3e02a69c457d03c11694a45d0867bdff7db7804c0e2
SHA512

74326c44bf36288b3eda201ac2f0317202df4e5f61a62abcb37cba5633a9703ad00a580a8e33a52e449021142f4c26be34aa019a09221ceb667f208834c99f73
SSDEEP

384:oBQdvnWVAWMc+WZmV0KBKHEdrZgo6cnxJ7RE2mu1DU6EpE:NWVAW3A0u4kH6aJ7O7u1Y6Ep

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe ubwi.wlo qetwxqy"	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2408	588	svchost.exe	31

Deletes itself 1 IoCs

pid	Process
2408	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2060	2d9e2dafe65b5503fbce184872aa87fb_JaffaCakes118.exe
588	WINWORD.EXE
2408	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ubwi.wlo	2d9e2dafe65b5503fbce184872aa87fb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ubwi.wlo	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\ubwi.wlo	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
588	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
588	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
588	WINWORD.EXE
588	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2408	588	WINWORD.EXE	32
PID 588 wrote to memory of 2408	588	WINWORD.EXE	32
PID 588 wrote to memory of 2408	588	WINWORD.EXE	32
PID 588 wrote to memory of 2408	588	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\2d9e2dafe65b5503fbce184872aa87fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d9e2dafe65b5503fbce184872aa87fb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2060

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Process spawned unexpected child process
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\EF6E.tmp

Filesize
20KB

MD5
7df149b3d83494577301b546a10a3050

SHA1
a1c1e1a8697ce2e958df81d24131c95934afaa1d

SHA256
47094a1a75493f92d312b8bb32c2dce2fd877a2e8cbea58ff3bb9ae45aafed08

SHA512
b436404166b23795ac9a2641054ceb2ea8ee3e97c81243c69448832bc6ac9bb4197ce1efe7f1e5c92c95953075cf67d8ab4213fbd48454ffb2db91cd110cfdc4

Download Submit
memory/588-3-0x000000002F881000-0x000000002F882000-memory.dmp

Filesize
4KB

Download
memory/588-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/588-5-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/588-10-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/588-7-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/588-19-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/588-20-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2060-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2408-13-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2408-24-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2408-25-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads