480e24e75c71c5a6da53b4f334cd77b295fc778ed13062e23d201ff1189f3972

General

Target

037e36c51a797ae4f55dd28cb71aa5ed_JaffaCakes118.xls
Size

143KB
MD5

037e36c51a797ae4f55dd28cb71aa5ed
SHA1

79f33d17bc250be80b2430944f8a8a23f7d4eb13
SHA256

480e24e75c71c5a6da53b4f334cd77b295fc778ed13062e23d201ff1189f3972
SHA512

e68fe0c1583447f738f6a99ee75b71e5ff3f917daf0c94e11615f43617e91d8706bc2a71831338f5110b9585bc3de07708095abea1923f2cc7b0c2a4c5e99c90
SSDEEP

3072:Lk3hOdsylKlgxopeiBNhZFGzE+cL2kdAmLdMyat77xlNeHXwfQQPFV7kGABh5IR:Lk3hOdsylKlgxopeiBNhZF+E+W2kdAmO

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2684	1284	explorer.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2524	1284	explorer.exe	27

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2052	WScript.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1284	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1284	EXCEL.EXE
1284	EXCEL.EXE
1284	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2684	1284	EXCEL.EXE	28
PID 1284 wrote to memory of 2684	1284	EXCEL.EXE	28
PID 1284 wrote to memory of 2684	1284	EXCEL.EXE	28
PID 1284 wrote to memory of 2684	1284	EXCEL.EXE	28
PID 2552 wrote to memory of 2160	2552	explorer.exe	30
PID 2552 wrote to memory of 2160	2552	explorer.exe	30
PID 2552 wrote to memory of 2160	2552	explorer.exe	30
PID 1284 wrote to memory of 2524	1284	EXCEL.EXE	31
PID 1284 wrote to memory of 2524	1284	EXCEL.EXE	31
PID 1284 wrote to memory of 2524	1284	EXCEL.EXE	31
PID 1284 wrote to memory of 2524	1284	EXCEL.EXE	31
PID 2448 wrote to memory of 2052	2448	explorer.exe	33
PID 2448 wrote to memory of 2052	2448	explorer.exe	33
PID 2448 wrote to memory of 2052	2448	explorer.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\037e36c51a797ae4f55dd28cb71aa5ed_JaffaCakes118.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\awEa.vbs
  2⤵
  - Process spawned unexpected child process
  PID:2684
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\qbBd7ZfD.vbs
  2⤵
  - Process spawned unexpected child process
  PID:2524

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awEa.vbs"
  2⤵
  PID:2160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qbBd7ZfD.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awEa.vbs

Filesize
329B

MD5
b4d4d3a7cc39d870c6353fdc41e3508f

SHA1
f168f16ef2d490734fa944367332eae09a031e7b

SHA256
b8eb2a2c98160414d400dd3ac1059a87348e4f4d3f127b797a4077f7c14bab79

SHA512
012a754a3b69de8f9a1f9f7802efc7081aeb9f09aca67f50e58b515021f9a081d47debf6dae46cda951934215d7aa8bc0f134cb04a6488925d6005503aca66e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbBd7ZfD.vbs

Filesize
691B

MD5
5223fa94f6291de508dbff59850e488d

SHA1
3fb906a312000d0c95e1d28a28ef9d9f380df0bb

SHA256
28c6aa8a2e30735ea4b6ab089a00164736554282ba367710325377dc5530de80

SHA512
f6b79b07bf57e7c744c94020e95c92eba25e3ded88e1903fe30f9884360f56a43dcfe557c5569c7836fbe58ed0e54e139fd2f47bb521776034f2238a51932c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6tENf.txt

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
memory/1284-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1284-1-0x0000000071E4D000-0x0000000071E58000-memory.dmp

Filesize
44KB

Download
memory/1284-8-0x0000000071E4D000-0x0000000071E58000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing