Analysis Overview
SHA256
071f41c6ba5d557491c35260b8d99a5cee331d870c1fbc7756303de0eb3ba63e
Threat Level: Known bad
The file d37ea0e04f634195f4037ed049538f8f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Suspicious Office macro
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-08 04:03
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 04:03
Reported
2024-09-08 04:06
Platform
win7-20240708-en
Max time kernel
149s
Max time network
25s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls
C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs"
C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chuguadventures.co.tz | udp |
| US | 38.58.178.86:443 | chuguadventures.co.tz | tcp |
Files
memory/1732-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1732-1-0x000000007295D000-0x0000000072968000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs
| MD5 | edac650eaf80a65804c1efa611b1fe6d |
| SHA1 | add0af1a993468906e3c0d00425076a5b0cf15d5 |
| SHA256 | de9c5d4509ed98cbea23c52184bdd1d7e784f61b117ac96343cdadb9e1288544 |
| SHA512 | a98b16ca10ae13d7232ad8611c1f8ca85e95fafc504ad8409845ccddefb3abcdc5f3e3bf54c6fe1d01bd3527f1757bb4d4fb76199af531be2fa253f0e7a27e59 |
C:\Users\Admin\AppData\Local\Temp\uVIp.txt
| MD5 | 21438ef4b9ad4fc266b6129a2f60de29 |
| SHA1 | 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd |
| SHA256 | 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354 |
| SHA512 | 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237 |
C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs
| MD5 | d62669519b44a6e13dcf61397b6e6b5d |
| SHA1 | 85cc1973b92a9e48843f542dc23e0b30cd962bdc |
| SHA256 | f0440e9edfdc1a8f1d4e5c8bb86bd74dfa56362cc5e25b512f3c0d2e84ffc1c8 |
| SHA512 | 773c9fe21ee9e6cf5b7d6b5402851d34ad7b4b269abde3982741fc55fcb36325a22c3a0d33b87284f7b048fc938369d457b0ac870b425772a117532943bac5cf |
memory/1732-8-0x000000007295D000-0x0000000072968000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 04:03
Reported
2024-09-08 04:06
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\explorer.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\explorer.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 888 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\explorer.exe |
| PID 3604 wrote to memory of 888 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\explorer.exe |
| PID 1576 wrote to memory of 1584 | N/A | C:\Windows\explorer.exe | C:\Windows\System32\WScript.exe |
| PID 1576 wrote to memory of 1584 | N/A | C:\Windows\explorer.exe | C:\Windows\System32\WScript.exe |
| PID 3604 wrote to memory of 1320 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\explorer.exe |
| PID 3604 wrote to memory of 1320 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\explorer.exe |
| PID 2996 wrote to memory of 4000 | N/A | C:\Windows\explorer.exe | C:\Windows\System32\WScript.exe |
| PID 2996 wrote to memory of 4000 | N/A | C:\Windows\explorer.exe | C:\Windows\System32\WScript.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d37ea0e04f634195f4037ed049538f8f_JaffaCakes118.xls"
C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs"
C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chuguadventures.co.tz | udp |
| US | 38.58.178.86:443 | chuguadventures.co.tz | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3604-1-0x00007FFA277ED000-0x00007FFA277EE000-memory.dmp
memory/3604-3-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp
memory/3604-2-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp
memory/3604-0-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp
memory/3604-4-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-5-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-7-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-9-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-8-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp
memory/3604-10-0x00007FF9E5340000-0x00007FF9E5350000-memory.dmp
memory/3604-6-0x00007FF9E77D0000-0x00007FF9E77E0000-memory.dmp
memory/3604-13-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-12-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-11-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-14-0x00007FF9E5340000-0x00007FF9E5350000-memory.dmp
memory/3604-18-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-16-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-15-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-17-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mH5Wxk.vbs
| MD5 | e5145fb5345e2179c2a63f6152ad2cb4 |
| SHA1 | 8c4f8f4af8c70c8e1c1d6b072e7098c476f7bc20 |
| SHA256 | 6743285676f5ac3dad4d93fce806d9704ddd910d864be3670150444fd95dec3e |
| SHA512 | 80de5399a8303dcb1be76155c738075b1494886faf2dddb348ebd5a8e33d62bb67198662ac7dda9b57493f170f3ae670c05ac722e4fcbcbc74c20841a47cba37 |
C:\Users\Admin\AppData\Local\Temp\uVIp.txt
| MD5 | 21438ef4b9ad4fc266b6129a2f60de29 |
| SHA1 | 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd |
| SHA256 | 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354 |
| SHA512 | 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237 |
C:\Users\Admin\AppData\Local\Temp\pq1fzH.vbs
| MD5 | d62669519b44a6e13dcf61397b6e6b5d |
| SHA1 | 85cc1973b92a9e48843f542dc23e0b30cd962bdc |
| SHA256 | f0440e9edfdc1a8f1d4e5c8bb86bd74dfa56362cc5e25b512f3c0d2e84ffc1c8 |
| SHA512 | 773c9fe21ee9e6cf5b7d6b5402851d34ad7b4b269abde3982741fc55fcb36325a22c3a0d33b87284f7b048fc938369d457b0ac870b425772a117532943bac5cf |
memory/3604-37-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-39-0x00007FFA27750000-0x00007FFA27945000-memory.dmp
memory/3604-38-0x00007FFA277ED000-0x00007FFA277EE000-memory.dmp
memory/3604-40-0x00007FFA27750000-0x00007FFA27945000-memory.dmp