f52177837b0eaaf696030413951c34b2eb535fa7de721f0b93b4399a8048d8a3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b054ccbd996f138ebf0f25b99493567_JaffaCakes118.xls
Size

106KB
MD5

2b054ccbd996f138ebf0f25b99493567
SHA1

ac709136eb5c0f929834ca96b9f1820f0b5e2c35
SHA256

f52177837b0eaaf696030413951c34b2eb535fa7de721f0b93b4399a8048d8a3
SHA512

ba94a9c20f53eb239bbf0da5f40cc38a37614887121defe30cc3a233930d0e630101b4d35c45e310dfaf23557ad48b3fcd3e58e9cc181a5bb1f4065294d181ea
SSDEEP

1536:0RRR0SLElwMV3NxgxrFtT8jIW0zALoVZTcuWCOTY/C2jcc0lbxOvTgZJKOeXcJtv:gZC2jcc0lbxOrl/MJtXwKb

Score

10^/10

defense_evasion

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3896	1312	cmd.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4752	1312	cmd.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2740	1312	cmd.exe	82

Deletes itself 1 IoCs

pid	Process
1312	EXCEL.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\8ED75E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1312	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE
1312	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2740	1312	EXCEL.EXE	89
PID 1312 wrote to memory of 2740	1312	EXCEL.EXE	89
PID 1312 wrote to memory of 4752	1312	EXCEL.EXE	90
PID 1312 wrote to memory of 4752	1312	EXCEL.EXE	90
PID 1312 wrote to memory of 3896	1312	EXCEL.EXE	91
PID 1312 wrote to memory of 3896	1312	EXCEL.EXE	91
PID 2740 wrote to memory of 460	2740	cmd.exe	95
PID 2740 wrote to memory of 460	2740	cmd.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
460	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2b054ccbd996f138ebf0f25b99493567_JaffaCakes118.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b054ccbd996f138ebf0f25b99493567_JaffaCakes118.xls

Filesize
144KB

MD5
81d69dcbeefcc94a38d006e815873fc7

SHA1
c3f6f35621d0351ed97bed0b6deff11e92311cda

SHA256
b493601528a8a83a993135a611f2edd43603f00c8359bde9d833a4a9e800db43

SHA512
8e9aecefb4dfbc042913b638530e03fafa3f9c19710ccd56047e529ffd11dcbd24f3de5045f8b56e2a57133df39df6249785ec5e91d7d00a40a551be49d4b4af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
d39c669947c492dc48cea31b1861f0b8

SHA1
b8ca95b322b180854a137c98cc1522a27f0d3bc4

SHA256
34d5b3d931622637f2a96c00439905549f468cdfc1f3bd58972ba478e35c8d6e

SHA512
ef46494027fca8dfaa93031b20c5497115fc122c7fca291a2ae20914e6918999f522714eef0aba2c1238a5c86cdfa23b10231dded9e4322af64cb35975d6b3f2

Download Submit
memory/1312-47-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-59-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-2-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

Filesize
64KB

Download
memory/1312-5-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-6-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

Filesize
64KB

Download
memory/1312-8-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-7-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-10-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-9-0x00007FF9362D0000-0x00007FF9362E0000-memory.dmp

Filesize
64KB

Download
memory/1312-11-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-14-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-13-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-15-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-17-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-18-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-19-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-16-0x00007FF9362D0000-0x00007FF9362E0000-memory.dmp

Filesize
64KB

Download
memory/1312-12-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-0-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

Filesize
64KB

Download
memory/1312-56-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-4-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

Filesize
64KB

Download
memory/1312-65-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-57-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-60-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-58-0x00007FF978AAD000-0x00007FF978AAE000-memory.dmp

Filesize
4KB

Download
memory/1312-54-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-55-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-44-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-53-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-74-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-77-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-78-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-76-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-96-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-75-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-73-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-3-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

Filesize
64KB

Download
memory/1312-117-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-118-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-119-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

Filesize
2.0MB

Download
memory/1312-1-0x00007FF978AAD000-0x00007FF978AAE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads