8d51849a6ccb4e9f729e2d7e58ac2c684dddd73fd7364c7fb9e6ba53b617e02e

General

Target

6951bde97aed01abfdb2e2fe64253efe_JaffaCakes118.xls
Size

228KB
MD5

6951bde97aed01abfdb2e2fe64253efe
SHA1

4c7fa685fc7dc45c24166f994933276795f51688
SHA256

8d51849a6ccb4e9f729e2d7e58ac2c684dddd73fd7364c7fb9e6ba53b617e02e
SHA512

97950e503facf8b8d4811c68f5ba659fae1dedf727216059921efac07ce206c27351646cba5e47d0586ef21f8d5b017a1323879df419854d6efd072b51c65775
SSDEEP

6144:lk3hOdsylKlgxopeiBNhZF+E+W2kdA5QXVjGbMJfYX7n4mGKPe0FbrkxPjS5Uhm:/oj1MTZFbrGS5Uhm

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2572	5108	explorer.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4212	5108	explorer.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

5108 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid process

5108 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

5108 EXCEL.EXE
5108 EXCEL.EXE
5108 EXCEL.EXE
5108 EXCEL.EXE
5108 EXCEL.EXE
5108 EXCEL.EXE

pid	process
5108	EXCEL.EXE

pid	process
5108	EXCEL.EXE

pid	process
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE
5108	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEexplorer.exeexplorer.exe

description	pid	process	target process
PID 5108 wrote to memory of 2572	5108	EXCEL.EXE	explorer.exe
PID 5108 wrote to memory of 2572	5108	EXCEL.EXE	explorer.exe
PID 4156 wrote to memory of 3956	4156	explorer.exe	WScript.exe
PID 4156 wrote to memory of 3956	4156	explorer.exe	WScript.exe
PID 5108 wrote to memory of 4212	5108	EXCEL.EXE	explorer.exe
PID 5108 wrote to memory of 4212	5108	EXCEL.EXE	explorer.exe
PID 1712 wrote to memory of 716	1712	explorer.exe	WScript.exe
PID 1712 wrote to memory of 716	1712	explorer.exe	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6951bde97aed01abfdb2e2fe64253efe_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\FQbGOqq.vbs
2⤵
- Process spawned unexpected child process
PID:2572

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\oENp.vbs
2⤵
- Process spawned unexpected child process
PID:4212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FQbGOqq.vbs"
2⤵
PID:3956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oENp.vbs"
2⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FQbGOqq.vbs

Filesize
341B

MD5
ff17126f8a31224c9789ea825364cebd

SHA1
dc434fd10a7a3e40405d4676f25642cf6d2265ce

SHA256
e49f742730162369fe0f6fdde9974ef5baa7278549dc73b6ec2536bd00f24db6

SHA512
e0a8c8ce0bdfbc994de1da101d9c6662fb29cf8cede46de1409206170fce1145a5357b64c13c220fea2b8000e8da93dddd059c7245b3a4f46f6b115e488c1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\oENp.vbs

Filesize
774B

MD5
1a7a39572bd109c5c7c46ca0c8f9aa25

SHA1
a414e4717b6797f345e1ffeab770b8056f7cfdf8

SHA256
dee21524b638c95a6ff4bac6f529cee4a39e4a4fcce096c3c8fe9828687187cc

SHA512
793d469cdd47cdc79e47f9fc9a2e2befbcaa1fd229c3b00c5c93e7ee038dcbc50c81ee5adfd8a98b6d04a76c039aa979cabfd5285c608aecbf7ffba2d152e9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLCa.txt

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
memory/5108-8-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-12-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-5-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/5108-3-0x00007FFE046ED000-0x00007FFE046EE000-memory.dmp

Filesize
4KB

Download
memory/5108-6-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-9-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-10-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-0-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/5108-13-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

Filesize
64KB

Download
memory/5108-7-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-11-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-14-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-15-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

Filesize
64KB

Download
memory/5108-17-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-16-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/5108-4-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/5108-1-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/5108-2-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/5108-38-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads