83d566c37607526b26d42194e17f0602364108e008a34d52f78184e74c08702f

General

Target

JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc
Size

42KB
MD5

911e3a9a39cb9a33cf1cf03a9355a8cd
SHA1

470097066e593e5f93903399bbcb37a83b8658e3
SHA256

83d566c37607526b26d42194e17f0602364108e008a34d52f78184e74c08702f
SHA512

b0002a224ed5d7cc03885b6223d635566b720d07b3efac8a5c2497ae5033998ed7fefaac499bcd423c92d24f81e4af0f39eed18ed824d811ab8aae1648cefc4f
SSDEEP

384:ABV04HMfH9+kM8FQ57XPOwitmDwRmLdPDpNMlzEmYMjAtr:OmVD6gQrp

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral2/files/0x0002000000022a98-81.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
1800	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1800	WINWORD.EXE
1800	WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_911e3a9a39cb9a33cf1cf03a9355a8cd.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDAE68.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp

Filesize
50KB

MD5
67f904687dc074666afed08e55e626f1

SHA1
eddf4e516da7494c0fd9588deba91e7bcc3780e7

SHA256
da1bd4dea8e881f2feadb35880742ac268ec86d99c501bb744a96e9746703952

SHA512
555fbb34d26b38ab005f43bc8e5280019a8deb872855dd47e09c1f78c4a7c970680a21f4581f422d77261203233bec82bcf8968fd3b5ab601a4672058a3ffb81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
26KB

MD5
935b8090edbee7c581c9f6be45fbd865

SHA1
7816f9a0cb389435b4c4ad53d5befb74fce808d4

SHA256
2fc416d29167983d537ab17d70085edbdaea2f77b45671728278376886c0e92d

SHA512
63f18f50727375234fbdbfd564785b3d3adcd99df3ef161c8b47c9e1b0e5523b7d766e2c9323b484f15756fbe305b940b809382b30ba3275a3e08604d2c6757c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
07ec8feb63d1ed3183b9663dcad2c1e0

SHA1
6ca8fb4b622a98c656bfe3c2a1d2c9f1167ea646

SHA256
348bc8d4cd1ef6da98202ab6ee36e593497f712ed8a43a535ac8a4c825d2465e

SHA512
ef0fd3660e0967657f1e15320417288a4d48afa9838c6b05fb0e3fdcb1177b0972b57533c8c9b5d0b820f4d17559cc652ae4c1eb70364faec8238d5715a1a084

Download Submit
memory/1800-18-0x00007FFFB55A0000-0x00007FFFB55B0000-memory.dmp

Filesize
64KB

Download
memory/1800-5-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-8-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-7-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-6-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-13-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-12-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-11-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-14-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-15-0x00007FFFB55A0000-0x00007FFFB55B0000-memory.dmp

Filesize
64KB

Download
memory/1800-16-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-10-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-17-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-0-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-40-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-44-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-50-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-9-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-4-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-2-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-98-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-100-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-99-0x00007FFFF7C4D000-0x00007FFFF7C4E000-memory.dmp

Filesize
4KB

Download
memory/1800-101-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-102-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-3-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-108-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-109-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-1-0x00007FFFF7C4D000-0x00007FFFF7C4E000-memory.dmp

Filesize
4KB

Download
memory/1800-248-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-247-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-249-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-250-0x00007FFFB7C30000-0x00007FFFB7C40000-memory.dmp

Filesize
64KB

Download
memory/1800-251-0x00007FFFF7BB0000-0x00007FFFF7DA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads