1d0ded5dbc6d2996e273f518bdab013ba9217ed76e197c44e7ef00f536967b9a

General

Target

676922539240c0d6bd398047c1cbe8d7_JaffaCakes118.xls
Size

279KB
MD5

676922539240c0d6bd398047c1cbe8d7
SHA1

ed5d52bd83409a2f8ff464619adf44776a3f1f3b
SHA256

1d0ded5dbc6d2996e273f518bdab013ba9217ed76e197c44e7ef00f536967b9a
SHA512

274fe4bab14177555237e50f8244faca1bd82eaaa6a5674c98e36f587c0e5d66589ac0eb0792be4943841850bd47eef9e6e3e7597acc942adfabf9c77ba63fa2
SSDEEP

6144:1NoClbz7R41azKaSk3hOdsylKlgryzc4bNhZF+E+W/gEpIrcNaOwMmF7OCt:FVR442iIVhF7zt

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1164	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2E109FC9-AAEE-4A50-988B-526BC3C7AD79}\A6CD017F.png:Zone.Identifier	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1164	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	EXCEL.EXE
1164	EXCEL.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE
1164	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3684	1164	EXCEL.EXE	89
PID 1164 wrote to memory of 3684	1164	EXCEL.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\676922539240c0d6bd398047c1cbe8d7_JaffaCakes118.xls"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\factory.xlsx

Filesize
150KB

MD5
0ec8b5f53e39f10fcdee8d5fdbb6d5f4

SHA1
859f1ebef09451fff18ee69abc0ab92b1c5e0e68

SHA256
0572a2228abcb669538c71b6c75483121238b0ddd00af4a983a9d78ee127902c

SHA512
9c5e3ff6b7f7eaab505d5c2b9472822b302818aad2fbfe672026cc9827c7cd23a4b87d160fafeaa4c96f5908b869997fe26e62db5aaf80fd3684c7641a85fcb1

Download Submit
C:\Users\Admin\AppData\Roaming\map_studio2.dll

Filesize
67KB

MD5
c14b962b8f828dba43305542b722b48b

SHA1
39f750689b5d865936e6f5e6cc4fe8877065fca1

SHA256
511ecf63f0bce7287c1ed6c931a94761b9425f3def1aea3398cb1765cd472166

SHA512
c52e1cf0bb453dbe8901133f370f1a05a7e9489940843bb4e33c91a0b6e989e42e2bee73a329aa91174c42066b6c97942cc1b9c1931e71e91bbbb7df5f7d589b

Download Submit
memory/1164-8-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-224-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-19-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-5-0x00007FFD79E0D000-0x00007FFD79E0E000-memory.dmp

Filesize
4KB

Download
memory/1164-6-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-7-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-0-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-9-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-10-0x00007FFD37C10000-0x00007FFD37C20000-memory.dmp

Filesize
64KB

Download
memory/1164-12-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-14-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-13-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-11-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-15-0x00007FFD37C10000-0x00007FFD37C20000-memory.dmp

Filesize
64KB

Download
memory/1164-1-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-17-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-3-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-16-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-37-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-38-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-51-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-4-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-2-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-195-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-196-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-197-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/1164-222-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-221-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-223-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-220-0x00007FFD39DF0000-0x00007FFD39E00000-memory.dmp

Filesize
64KB

Download
memory/1164-18-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads