5b424584f92912bcce18e13782e8f25e042a258e6af080a7e26d578ddd713e7b

General

Target

83ac39d1741a697ad63598818fefb58b_JaffaCakes118.xls
Size

145KB
MD5

83ac39d1741a697ad63598818fefb58b
SHA1

364a1f71eaafefe89860d7a9c6773297a0d50e5f
SHA256

5b424584f92912bcce18e13782e8f25e042a258e6af080a7e26d578ddd713e7b
SHA512

89b36406442a3c2b231fcfce21605ef5796c7cd3b2353dda7a37a858d0b8439762a1ac243ab5c907ddd0f333c70418f59ddfe58ba358d1a8b37eb4cb4d433f5a
SSDEEP

3072:0k3hOdsylKlgxopeiBNhZFGzE+cL2kdA+MGBcK/YNgNlFpKNul/CQrDHlAw:0k3hOdsylKlgxopeiBNhZF+E+W2kdA+N

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2852	1732	explorer.exe	28
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2856	1732	explorer.exe	28

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2852	1732	EXCEL.EXE	29
PID 1732 wrote to memory of 2852	1732	EXCEL.EXE	29
PID 1732 wrote to memory of 2852	1732	EXCEL.EXE	29
PID 1732 wrote to memory of 2852	1732	EXCEL.EXE	29
PID 3056 wrote to memory of 2896	3056	explorer.exe	31
PID 3056 wrote to memory of 2896	3056	explorer.exe	31
PID 3056 wrote to memory of 2896	3056	explorer.exe	31
PID 1732 wrote to memory of 2856	1732	EXCEL.EXE	32
PID 1732 wrote to memory of 2856	1732	EXCEL.EXE	32
PID 1732 wrote to memory of 2856	1732	EXCEL.EXE	32
PID 1732 wrote to memory of 2856	1732	EXCEL.EXE	32
PID 2660 wrote to memory of 2676	2660	explorer.exe	34
PID 2660 wrote to memory of 2676	2660	explorer.exe	34
PID 2660 wrote to memory of 2676	2660	explorer.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\83ac39d1741a697ad63598818fefb58b_JaffaCakes118.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\yWR.vbs
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\nMf2C.vbs
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yWR.vbs"
  2⤵
  PID:2896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nMf2C.vbs"
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UTmceQaO.txt

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMf2C.vbs

Filesize
715B

MD5
da71f8b98e9e16c8b88879ac95cc1102

SHA1
1dad6ce4e938cac5f18ce7e14e900145fdef448b

SHA256
0cc82c39157d500466a4ed30c76bb20e0dbbd470730d3674120a20e75f64558d

SHA512
c680567f5ee9e476ffed46e6efe5ee61d513320d3baa7ddd3eebc4f20cb69536ca73946668ed447984bbfc2bf4ebfa4f0ca1a886ab92ed9e6c6e5812e4ca6161

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWR.vbs

Filesize
322B

MD5
52ab7ee6ada4437a21e45f1fe8cb13b9

SHA1
940292957a902a7c6012a4e7c85b8929fc11a9e3

SHA256
6a9e478fbf578aff4b9806066b4cb79f9d0c009f9a9216eb43edbdbf8d85519f

SHA512
a509c0c04f61c20a42575f47c35ba55e90217e45df0ed85c151e3693a10d9971550e50f0e8525786bd6a691e2a557ff3d7fa9a7a8cc2dbd6a2c840180c6cdc12

Download Submit
memory/1732-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1732-1-0x00000000728ED000-0x00000000728F8000-memory.dmp

Filesize
44KB

Download
memory/1732-8-0x00000000728ED000-0x00000000728F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing