Analysis
-
max time kernel
149s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 04:03
Behavioral task
behavioral1
Sample
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
-
Size
143KB
-
MD5
d37ea0e04f634195f4037ed049538f8f
-
SHA1
cf0d658c3bc33bc5bcb8f4852a7a3dc805d36860
-
SHA256
071f41c6ba5d557491c35260b8d99a5cee331d870c1fbc7756303de0eb3ba63e
-
SHA512
f8b113615b780a7d27a56804bf3d964f4270183134a991fccb8c278d47e05b1c08a27aea98b713b2d2b08e68f5015629277ad9fdac7d26fd2a21514e9c0c161a
-
SSDEEP
3072:Zk3hOdsylKlgxopeiBNhZFGzE+cL2kdATHtCcT+f8bCVyZG1MeNC:Zk3hOdsylKlgxopeiBNhZF+E+W2kdATL
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exeexplorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1912 1732 explorer.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2780 1732 explorer.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 3 2836 WScript.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEexplorer.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1732 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EXCEL.EXEpid process 1732 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1732 EXCEL.EXE 1732 EXCEL.EXE 1732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EXCEL.EXEexplorer.exeexplorer.exedescription pid process target process PID 1732 wrote to memory of 1912 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 1912 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 1912 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 1912 1732 EXCEL.EXE explorer.exe PID 2804 wrote to memory of 2912 2804 explorer.exe WScript.exe PID 2804 wrote to memory of 2912 2804 explorer.exe WScript.exe PID 2804 wrote to memory of 2912 2804 explorer.exe WScript.exe PID 1732 wrote to memory of 2780 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 2780 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 2780 1732 EXCEL.EXE explorer.exe PID 1732 wrote to memory of 2780 1732 EXCEL.EXE explorer.exe PID 2004 wrote to memory of 2836 2004 explorer.exe WScript.exe PID 2004 wrote to memory of 2836 2004 explorer.exe WScript.exe PID 2004 wrote to memory of 2836 2004 explorer.exe WScript.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2780
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs"2⤵PID:2912
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs"2⤵
- Blocklisted process makes network request
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331B
MD5edac650eaf80a65804c1efa611b1fe6d
SHA1add0af1a993468906e3c0d00425076a5b0cf15d5
SHA256de9c5d4509ed98cbea23c52184bdd1d7e784f61b117ac96343cdadb9e1288544
SHA512a98b16ca10ae13d7232ad8611c1f8ca85e95fafc504ad8409845ccddefb3abcdc5f3e3bf54c6fe1d01bd3527f1757bb4d4fb76199af531be2fa253f0e7a27e59
-
Filesize
706B
MD5d62669519b44a6e13dcf61397b6e6b5d
SHA185cc1973b92a9e48843f542dc23e0b30cd962bdc
SHA256f0440e9edfdc1a8f1d4e5c8bb86bd74dfa56362cc5e25b512f3c0d2e84ffc1c8
SHA512773c9fe21ee9e6cf5b7d6b5402851d34ad7b4b269abde3982741fc55fcb36325a22c3a0d33b87284f7b048fc938369d457b0ac870b425772a117532943bac5cf
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237