a9ba5e7ae9dca585a8b3e993dba5055bffce24a5e201e5b9cdd6e88c2c33bb60

General

Target

eaadbf33d6d8e1df8106018fdc39d3f9_JaffaCakes118.xlsm
Size

2.7MB
MD5

eaadbf33d6d8e1df8106018fdc39d3f9
SHA1

8e95e02a998509003fea9c205e752e4ec2802808
SHA256

a9ba5e7ae9dca585a8b3e993dba5055bffce24a5e201e5b9cdd6e88c2c33bb60
SHA512

ab654653089c8c720e71d2f80670c3eade14cd55ef45d9c0c49f7fa146a6d08f28fbcda35331911d823df1a6000a4474573586b0e70aea160ab0eca81e7e8337
SSDEEP

1536:lnd4uFEvT42ZacNCMi8LZ+lWxaqOyIasQmUV2ZT0nIcjELco6kx:r4uFEr423N7ipWJOyIj8sT0n9Jkx

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2508	2956	cscript.exe	29

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2508	cscript.exe
3	2628	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
768	EQNEDT32.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2956	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 764	768	EQNEDT32.EXE	32
PID 768 wrote to memory of 764	768	EQNEDT32.EXE	32
PID 768 wrote to memory of 764	768	EQNEDT32.EXE	32
PID 768 wrote to memory of 764	768	EQNEDT32.EXE	32
PID 764 wrote to memory of 1044	764	cMD.exe	34
PID 764 wrote to memory of 1044	764	cMD.exe	34
PID 764 wrote to memory of 1044	764	cMD.exe	34
PID 764 wrote to memory of 1044	764	cMD.exe	34
PID 1044 wrote to memory of 3036	1044	wscript.exe	36
PID 1044 wrote to memory of 3036	1044	wscript.exe	36
PID 1044 wrote to memory of 3036	1044	wscript.exe	36
PID 1044 wrote to memory of 3036	1044	wscript.exe	36
PID 3036 wrote to memory of 2628	3036	cmd.exe	38
PID 3036 wrote to memory of 2628	3036	cmd.exe	38
PID 3036 wrote to memory of 2628	3036	cmd.exe	38
PID 3036 wrote to memory of 2628	3036	cmd.exe	38
PID 2956 wrote to memory of 2508	2956	EXCEL.EXE	39
PID 2956 wrote to memory of 2508	2956	EXCEL.EXE	39
PID 2956 wrote to memory of 2508	2956	EXCEL.EXE	39
PID 2956 wrote to memory of 2508	2956	EXCEL.EXE	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\eaadbf33d6d8e1df8106018fdc39d3f9_JaffaCakes118.xlsm
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2508

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\cMD.exe
  cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf C
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\wscript.exe
    WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q

Filesize
15KB

MD5
979db514bac273b8c88b38e2436215fd

SHA1
7beac1d5180d59de94329427041c4390a652b157

SHA256
f75f4b35f605bd5467052f15b6f3e3ed1e13d03305ff477c23161fa67ead1ea1

SHA512
27ed1617986a3e699986e0816b6240bf3bae917663e1b95461a24fcd17fbbf67510804c5680488728a12119dd1309dfd19d63a757e6c4a2537d1d2e944fc3e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx

Filesize
29KB

MD5
3e6f149d801174d66de21727d41adb3c

SHA1
e8a170f082e82d356f46f5679c3293e25e46e014

SHA256
ad212bcf010da6f04a656861c895e8ac9f013a5c2271c7baf55b05706ecf6878

SHA512
8dd83f641ed7d6e4294f655ce1db3533ab84f2b6daff01312bd8601d1e77f55b5cc9a757ae3b22531a2b171d768eecfdf1fe207540df528a808ef89313c70e21

Download Submit
C:\programdata\asc.txt:script1.vbs

Filesize
68KB

MD5
9804524f96c787a69a60738fd9b958ac

SHA1
0b8d06a63322719037cb7c479f11c9d1db4e5e5e

SHA256
03220f8d458cf2c5c95b2721b63e740ee6a1d68660b2e9995a423f821134c15f

SHA512
c1e2b53dbfa261da5d6d7f3f83c85b04fb5105548c63efe251db0371a27ee48dae200405fe8f837a43b8949f7801ae4156a97eabb5307c4416641fb72e3ef468

Download Submit
memory/2956-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2956-1-0x000000007298D000-0x0000000072998000-memory.dmp

Filesize
44KB

Download
memory/2956-9-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-10-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-11-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-15-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-12-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-21-0x000000007298D000-0x0000000072998000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing