4637494b847ad3706fa12a547033c7b204d9e2dcc8bd27c084550cf4a1a55f05

General

Target

3067d881eb56115f8ff1200a328645be_JaffaCakes118.xls
Size

24KB
MD5

3067d881eb56115f8ff1200a328645be
SHA1

1025a9c6ab029d401ad643513f78bafd26145c22
SHA256

4637494b847ad3706fa12a547033c7b204d9e2dcc8bd27c084550cf4a1a55f05
SHA512

b3464e324228edf106dd62c1fc085a6fbf8054946e1decf3810624678f1ce3cc1485376545421071dce0caa939f7d0aa72f9537dd0c4c5e99f9c86f196088ae8
SSDEEP

768:pyJJJAdFX/615hTVR2ANxCyG6GSlM2zr:oJJJAdFX/615hT9PCuJzr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3164	EXCEL.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3067d881eb56115f8ff1200a328645be_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VBA019.tmp

Filesize
1KB

MD5
f1b5d31534bce7d254c5003028001797

SHA1
577cf0f83d02a664fe4449a7a62395579afbbcf6

SHA256
e6a229d514a3aa019ed5f879ca1c27969d09c636d3d703469abe1e71562a732b

SHA512
2ae8cfdf87939d562c83d5490a68891297102f4178d510e5d00a64d5afc19ca53326d11e5cd01da581fc6559f1b26e674eb5368c79b45bb9e9d426f62ddb67dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\81B75E00

Filesize
8KB

MD5
116530eba459f505fa48fc8e585365c5

SHA1
584e98a31e74025e8996eda91dbf7b25148fff40

SHA256
1ad9ca2cbf5edf2099b13264acc1885b1a3d604a512b0180a97927b311a32063

SHA512
158e4540ea029a407bf56c7562eb1a3b0197fc447e7c339e08ac319a5b99d8e0230f9b66a06e481936912999807c1111e7c9944b27ab1c7e2414729051526ead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
8KB

MD5
247c87f3f9373810e7147d88a1618c8f

SHA1
a80f929912fafb9f26e6816d531baba26bd970d4

SHA256
9d38a81158d60a8503afec068656111664f27d574f24f9a2a98e523ead233bff

SHA512
f99303ef79fdfb189542e6548594b19bc623cd541497a7a10597b521016acdab338d244f013f9263566eb69e79cb39f4592a671d026bea8cb2f79b2c7a1e205b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
330B

MD5
61e5c901a2a94dc6bbfcad3e16e14e4c

SHA1
aa8c968cef546110f59d02ed82de447a82ed40c6

SHA256
871c487a5d8c255b53728e73601b0f53cbda9310b9ed76f86f8148bf40c38099

SHA512
c7de35357e88097c27316f988a2106d472db6adedfc80d38de7865739bed284af7de6753d81fa173d19851de736b00ce563e14021f9c427f7dc5079b2724beeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
683B

MD5
82427ba5ee365bf6254d0d672b2ec985

SHA1
4a2f0443d88f1bae28f3a18e38a7bb294070b509

SHA256
c704b1294ebeeb143e5d9a18c1521a14fe5ed4dd50f01ea4592df80d2d31926d

SHA512
304bb47f640a83128b2dee15119455f5ab3d1c485ec93cbf05982560ea5220768a48326256c943f645862d8ac77057957f28ece5dbfcab6ed86fe95f8d5ced73

Download Submit
memory/3164-15-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-42-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-10-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-12-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-11-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-9-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-13-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp

Filesize
64KB

Download
memory/3164-8-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-14-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp

Filesize
64KB

Download
memory/3164-18-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-20-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-21-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-19-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-17-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-16-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-0-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp

Filesize
4KB

Download
memory/3164-7-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-6-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-43-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-44-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-2-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

Filesize
64KB

Download
memory/3164-52-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-53-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-5-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

Filesize
64KB

Download
memory/3164-4-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

Filesize
64KB

Download
memory/3164-78-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp

Filesize
4KB

Download
memory/3164-3-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

Filesize
64KB

Download
memory/3164-98-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-99-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-100-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-101-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-102-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-103-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-104-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

Filesize
2.0MB

Download
memory/3164-1-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads