56c2a6cd514956d83ac3d9f810ca1d942ba929f29a9af1d37aee3a1ce54a0283

General

Target

fd7075efa74442ec550ba1b0613f0db3_JaffaCakes118.xlsm
Size

252KB
MD5

fd7075efa74442ec550ba1b0613f0db3
SHA1

cc34b9d08b301523a1ee0f1cce90fd3a9f9c4c6b
SHA256

56c2a6cd514956d83ac3d9f810ca1d942ba929f29a9af1d37aee3a1ce54a0283
SHA512

0b919291d04e060277248566241aca01689859f6d3c9953b61dbf01ad6b55dbbc193d1c594d3ed3f3e61f51dbae1f1adc2d6b0ab820b7941a76aab3a1bda54cd
SSDEEP

6144:SWtZbAPPimNA/kjoitk17d3/zIZgddQIMgB0ViWir2Yv6ZtK2BnBkxXpsw:3tZbAPDNAcM5d3bFLKW0ir2YvoU2BnBS

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	456	2640	MSHTA.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2640 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2640 EXCEL.EXE
2640 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE
2640	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fd7075efa74442ec550ba1b0613f0db3_JaffaCakes118.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\SYSTEM32\MSHTA.exe
MSHTA C:\ProgramData\OyIGHoID.sct
2⤵
- Process spawned unexpected child process
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OyIGHoID.sct
Filesize
26KB

MD5
a7a70027c73d0df1be59bfa69fbc33c5

SHA1
30b3c70053fefb38dd4118ad83d5b93931d2fd3f

SHA256
5284d2c2382e406e7baed841d063f41f7653124bd923e0397523eb1195d02932

SHA512
c340fea56c396cecf0ded3769d5f575ffd50719baeb1c716acb678d32cfba07609f8cf3d68bcc857393ac476c0fb5424609d0cfe6f87a7aeeb2ba6f478abd317

Download Submit
memory/2640-7-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-60-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-13-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-4-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-5-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-6-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-0-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-8-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-9-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-10-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-11-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-12-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-2-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-3-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-55-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-16-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-17-0x00007FFD97220000-0x00007FFD97230000-memory.dmp

Filesize
64KB

Download
memory/2640-21-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-25-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-26-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-1-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-15-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-56-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-57-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-58-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/2640-59-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2640-14-0x00007FFD97220000-0x00007FFD97230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads