Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 04:03
Behavioral task
behavioral1
Sample
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
-
Size
143KB
-
MD5
d37ea0e04f634195f4037ed049538f8f
-
SHA1
cf0d658c3bc33bc5bcb8f4852a7a3dc805d36860
-
SHA256
071f41c6ba5d557491c35260b8d99a5cee331d870c1fbc7756303de0eb3ba63e
-
SHA512
f8b113615b780a7d27a56804bf3d964f4270183134a991fccb8c278d47e05b1c08a27aea98b713b2d2b08e68f5015629277ad9fdac7d26fd2a21514e9c0c161a
-
SSDEEP
3072:Zk3hOdsylKlgxopeiBNhZFGzE+cL2kdATHtCcT+f8bCVyZG1MeNC:Zk3hOdsylKlgxopeiBNhZF+E+W2kdATL
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exeexplorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 888 3604 explorer.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1320 3604 explorer.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 27 4000 WScript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3604 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EXCEL.EXEpid process 3604 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 3604 EXCEL.EXE 3604 EXCEL.EXE 3604 EXCEL.EXE 3604 EXCEL.EXE 3604 EXCEL.EXE 3604 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEexplorer.exeexplorer.exedescription pid process target process PID 3604 wrote to memory of 888 3604 EXCEL.EXE explorer.exe PID 3604 wrote to memory of 888 3604 EXCEL.EXE explorer.exe PID 1576 wrote to memory of 1584 1576 explorer.exe WScript.exe PID 1576 wrote to memory of 1584 1576 explorer.exe WScript.exe PID 3604 wrote to memory of 1320 3604 EXCEL.EXE explorer.exe PID 3604 wrote to memory of 1320 3604 EXCEL.EXE explorer.exe PID 2996 wrote to memory of 4000 2996 explorer.exe WScript.exe PID 2996 wrote to memory of 4000 2996 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs2⤵
- Process spawned unexpected child process
PID:888 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs2⤵
- Process spawned unexpected child process
PID:1320
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs"2⤵PID:1584
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs"2⤵
- Blocklisted process makes network request
PID:4000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331B
MD5e5145fb5345e2179c2a63f6152ad2cb4
SHA18c4f8f4af8c70c8e1c1d6b072e7098c476f7bc20
SHA2566743285676f5ac3dad4d93fce806d9704ddd910d864be3670150444fd95dec3e
SHA51280de5399a8303dcb1be76155c738075b1494886faf2dddb348ebd5a8e33d62bb67198662ac7dda9b57493f170f3ae670c05ac722e4fcbcbc74c20841a47cba37
-
Filesize
706B
MD5d62669519b44a6e13dcf61397b6e6b5d
SHA185cc1973b92a9e48843f542dc23e0b30cd962bdc
SHA256f0440e9edfdc1a8f1d4e5c8bb86bd74dfa56362cc5e25b512f3c0d2e84ffc1c8
SHA512773c9fe21ee9e6cf5b7d6b5402851d34ad7b4b269abde3982741fc55fcb36325a22c3a0d33b87284f7b048fc938369d457b0ac870b425772a117532943bac5cf
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237