0ebfbcbf8c35ff8cbf36e38799b5129c7b70c6895d5f11d1ab562a511a2ec76e

General

Target

73828f9d183d9d9004591767ef21da13_JaffaCakes118.xls
Size

96KB
MD5

73828f9d183d9d9004591767ef21da13
SHA1

8ab7fa25e9c8ec1b5cfc275da5592c6068c214fc
SHA256

0ebfbcbf8c35ff8cbf36e38799b5129c7b70c6895d5f11d1ab562a511a2ec76e
SHA512

8d93a3842e76c07166ab4294bd747233822fb47a78a23872cc426fc392cc733f80302310694cb2324313cf4c7d263485930257f18e32b239b8fb6a7b7a6bb173
SSDEEP

1536:olk3hbdlylKsgqopeJBWhZFGkE+cL2NdAxNny/KgoducuZg3qGa2h1//o2JVVHsD:olk3hbdlylKsgqopeJBWhZFGkE+cL2N9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	iweei.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	iweei.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2116	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2116	EXCEL.EXE
2116	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE
2116	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3120	2116	EXCEL.EXE	97
PID 2116 wrote to memory of 3120	2116	EXCEL.EXE	97
PID 2116 wrote to memory of 3120	2116	EXCEL.EXE	97

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\73828f9d183d9d9004591767ef21da13_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\iweei.exe
  C:\Users\Admin\AppData\Roaming\iweei.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:5212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Remps.exe

Filesize
303B

MD5
043237190ec4d14646756b5afe4ddb57

SHA1
509430ca42d60453822d3f98213319087fde01f6

SHA256
7b7083644c1f1e918fcd1f5d5e07e831a2d3d3f49ab5a5456dee060fa7fd7620

SHA512
8f69aa6c5abe183b110663bd862389518d053dc112013bfe77e7832088d2de662153974816e8f65ef62e3ab87cd81fb9a26e4279035bf3c377bb1004fa6e0b68

Download Submit
C:\Users\Admin\AppData\Roaming\iweei.exe

Filesize
3KB

MD5
0df0331538f0a21c2c160f77d1221fb3

SHA1
12b853bb37352eeb3ea08d74226b465d73b8a233

SHA256
502c4c424c8f435254953c1d32a1f7ae1e67fb88ebd7a31594afc7278dcafde3

SHA512
873264231142f679a3cb81af34710fff92f13d71bf2f3f32276897d091ba665a2cd96cfc73f8b63296a8d4770677f21a3a797dfb75dc18c7370678a5508c1397

Download Submit
memory/2116-17-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-19-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-4-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-5-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-7-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-9-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-10-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-8-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-6-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-12-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-13-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-11-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-14-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

Filesize
64KB

Download
memory/2116-15-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-1-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-0-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-18-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-20-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-16-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-21-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

Filesize
64KB

Download
memory/2116-188-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-3-0x00007FFCACE4D000-0x00007FFCACE4E000-memory.dmp

Filesize
4KB

Download
memory/2116-12056-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-2-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-12037-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-12041-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-12053-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-12052-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-12054-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/2116-12055-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/3120-12022-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads