716dec13d238ab64c0caa1951164596460e6981992224a2d67d654eea7e651da

General

Target

0d0b66217eb8cf8e17754331f77c67ec_JaffaCakes118.xls
Size

170KB
MD5

0d0b66217eb8cf8e17754331f77c67ec
SHA1

6064b05c7c7117032250818e55985432406b9a22
SHA256

716dec13d238ab64c0caa1951164596460e6981992224a2d67d654eea7e651da
SHA512

cf8de7cc230b02f2861b7a8142d95fc54ba3b9eccbe9989a551a857f8113d27383a3fd5e5dbb5b982460a9a472819e12ffd92d9fc0f80833ab44ccff32f51388
SSDEEP

3072:bz6E7DlCN0/mxYjmUxj6dpf7akpXCBxalMX+A5yrkdWPIB6zsleX/qBUbOl4/SpP:bzODakKAzI

Score

10^/10

defense_evasion macro xlm

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3480	1148	cmd.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1604	1148	cmd.exe	81
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3996	1148	cmd.exe	81

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral2/files/0x000700000002345b-101.dat	office_xlm_macros

Deletes itself 1 IoCs

pid	Process
1148	EXCEL.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FC875E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1148	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1148	EXCEL.EXE
1148	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3996	1148	EXCEL.EXE	86
PID 1148 wrote to memory of 3996	1148	EXCEL.EXE	86
PID 1148 wrote to memory of 1604	1148	EXCEL.EXE	87
PID 1148 wrote to memory of 1604	1148	EXCEL.EXE	87
PID 1148 wrote to memory of 3480	1148	EXCEL.EXE	88
PID 1148 wrote to memory of 3480	1148	EXCEL.EXE	88
PID 3996 wrote to memory of 4252	3996	cmd.exe	92
PID 3996 wrote to memory of 4252	3996	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4252	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0d0b66217eb8cf8e17754331f77c67ec_JaffaCakes118.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d0b66217eb8cf8e17754331f77c67ec_JaffaCakes118.xls

Filesize
199KB

MD5
2f45c3b4553bfeb96849898932d49184

SHA1
9197bdf418b53defed481e88fe7c0999d098ea60

SHA256
26f8c531cabeab23ebe78754e19d0725ee2406ded89096a39419330b92d7204d

SHA512
b42278e8580eeb57dc5c622f246b44d4609d9f7d103c8a8770eb3bbd475bc8292c9f207c47c0cece2d68d8f3344655f8fd4e482a416815408eee9b2f65c9203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
50be077d1ffb7720d0e26c35e9de8b99

SHA1
b8765038a928d1e87626f8517455db0e3c0e0c28

SHA256
3afc17a00782e3711a70b784f5e4e9a4607d84c26df126d148edfd65515d2aab

SHA512
dbbef9a5a1b3fb892151f88ce80ed8901b6f973ddedcb32c05016d156fdc30ee8a0098de25625ffd52521c5b14159bddd7e612667a5f9b1ef0426f57d5a7aa18

Download Submit
memory/1148-8-0x00007FFABE190000-0x00007FFABE1A0000-memory.dmp

Filesize
64KB

Download
memory/1148-46-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-5-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-6-0x00007FFAC0AF0000-0x00007FFAC0B00000-memory.dmp

Filesize
64KB

Download
memory/1148-7-0x00007FFAC0AF0000-0x00007FFAC0B00000-memory.dmp

Filesize
64KB

Download
memory/1148-2-0x00007FFAC0AF0000-0x00007FFAC0B00000-memory.dmp

Filesize
64KB

Download
memory/1148-0-0x00007FFAC0AF0000-0x00007FFAC0B00000-memory.dmp

Filesize
64KB

Download
memory/1148-10-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-12-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-13-0x00007FFABE190000-0x00007FFABE1A0000-memory.dmp

Filesize
64KB

Download
memory/1148-11-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-14-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-15-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-9-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-3-0x00007FFAC0AF0000-0x00007FFAC0B00000-memory.dmp

Filesize
64KB

Download
memory/1148-47-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-4-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-58-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-57-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-55-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-56-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-44-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-59-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-103-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-104-0x00007FFB00B0D000-0x00007FFB00B0E000-memory.dmp

Filesize
4KB

Download
memory/1148-105-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-109-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-110-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-111-0x00007FFB00A70000-0x00007FFB00C65000-memory.dmp

Filesize
2.0MB

Download
memory/1148-1-0x00007FFB00B0D000-0x00007FFB00B0E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads