4357ea08892faf2fbfb75935e371d4bd8bc895f0421f6a6aebcd12a00adc908b

General

Target

3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe
Size

68KB
MD5

3a0f471f473ec60706d79cb4bbc411f0
SHA1

afd644f0a316b86ceb9b6d58db20c368213f446c
SHA256

4357ea08892faf2fbfb75935e371d4bd8bc895f0421f6a6aebcd12a00adc908b
SHA512

34871bc368c87e7d1bedb2dd8e60c05b74b26f6ef429ed5a216e57e0de0415cc8bee15ed896b564b76d4424eab575dc405b0e5fc6717e77109abdb77488cf622
SSDEEP

768:q/vz7fUS8AuVzTdV2OTjZn3kgViCorFP:CvfuVzTrH53XVR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
648	WINWORD.EXE
648	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 648	2220	3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe	85
PID 2220 wrote to memory of 648	2220	3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.rtf" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a0f471f473ec60706d79cb4bbc411f0_JaffaCakes118.rtf

Filesize
3KB

MD5
9fce3b0133ad2796442f5a0e18b681a5

SHA1
5972e80cc00e89be846692540921c5dfeac5d017

SHA256
8ae683fa2b323bd63bee7040b41f1213b74ea05526972d52c210b8b2110ccead

SHA512
04ffe802cbb0383df1825985e11025f1cc53de8d68ca38525ac5fdcd266f6f4bb1858f78a1317c3857f891527fc18a95e48991d6f6e1fe36cdca2d7aebfdb40b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/648-26-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/648-25-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-10-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/648-12-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/648-13-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/648-9-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/648-17-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-18-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-16-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-15-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-19-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/648-14-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-22-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-50-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-11-0x00007FFE215CD000-0x00007FFE215CE000-memory.dmp

Filesize
4KB

Download
memory/648-28-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-23-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-24-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-27-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-21-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-20-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-30-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-29-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/648-8-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/2220-1-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2220-46-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2220-47-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2220-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-49-0x000000005F000000-0x000000005F011000-memory.dmp

Filesize
68KB

Download
memory/2220-0-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2220-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads