a0068a0869f0a81cdb8a6ec5190bd71d0130f657daeff648424a9db2a14ea2d0

General

Target

43c1e6a8ffc7a66d9a875883675bc94c_JaffaCakes118.xls
Size

333KB
MD5

43c1e6a8ffc7a66d9a875883675bc94c
SHA1

6770f7f28472275d950273cca596add579032be0
SHA256

a0068a0869f0a81cdb8a6ec5190bd71d0130f657daeff648424a9db2a14ea2d0
SHA512

67bb5f538ecb6d2e534507b584e3b8ccfc77c3b4de859435803c463e696227b4a5c558aaf523b02db2ecb8dc5675540c726519d177fd94e2e7a9c3ffcf79ff48
SSDEEP

3072:812qeqtVW/A23SSZWLTF4f2jcc0lbxOr1ga6AnP67l:9q03BWqTQS

Score

10^/10

defense_evasion

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3804	1928	cmd.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	924	1928	cmd.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1088	1928	cmd.exe	83

Deletes itself 1 IoCs

pid	Process
1928	EXCEL.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\2A875E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1928	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	EXCEL.EXE
1928	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1088	1928	EXCEL.EXE	89
PID 1928 wrote to memory of 1088	1928	EXCEL.EXE	89
PID 1928 wrote to memory of 924	1928	EXCEL.EXE	90
PID 1928 wrote to memory of 924	1928	EXCEL.EXE	90
PID 1928 wrote to memory of 3804	1928	EXCEL.EXE	91
PID 1928 wrote to memory of 3804	1928	EXCEL.EXE	91
PID 1088 wrote to memory of 2896	1088	cmd.exe	95
PID 1088 wrote to memory of 2896	1088	cmd.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2896	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\43c1e6a8ffc7a66d9a875883675bc94c_JaffaCakes118.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43c1e6a8ffc7a66d9a875883675bc94c_JaffaCakes118.xls

Filesize
406KB

MD5
9c6c660703c0bdf6101b1678ee3ef7db

SHA1
6dbec8e72030f56b450b6e57e732bfd2a318d319

SHA256
5d7f29c87b9a58e2f0c60b59559390fbc5a20989b39d5a5753cbdf6d20bdba4d

SHA512
1f41033778996b546eb0c571a509b7cae6fe3a7f0deae8f1e4c56448ec0cca8116f852c5f7b412c1a738c678d325b2b28c414f576b6e548d34b96abc6e79171f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
682B

MD5
972d5af16f8281f12e2180f63160b43a

SHA1
f1de7f3f5630bf9bbb0fc5db3a80541145e57bca

SHA256
f791c2afa93f4b8805c2e81159919a119dfdd7981726faf914643d1077856e4d

SHA512
5425f0bbf90f80e1d8f67a991e00cbeec9c9a14340546a5026ef14f8cec23135800eef46c54d8c2cc6fb0a11297fe24082a2d65838dd438f07a0bb4ab38e223e

Download Submit
memory/1928-14-0x00007FFA4F890000-0x00007FFA4F8A0000-memory.dmp

Filesize
64KB

Download
memory/1928-55-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-4-0x00007FFA51E90000-0x00007FFA51EA0000-memory.dmp

Filesize
64KB

Download
memory/1928-6-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-7-0x00007FFA51E90000-0x00007FFA51EA0000-memory.dmp

Filesize
64KB

Download
memory/1928-0-0x00007FFA91EAD000-0x00007FFA91EAE000-memory.dmp

Filesize
4KB

Download
memory/1928-10-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-9-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-11-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-13-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-15-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-17-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-16-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-18-0x00007FFA4F890000-0x00007FFA4F8A0000-memory.dmp

Filesize
64KB

Download
memory/1928-5-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-1-0x00007FFA51E90000-0x00007FFA51EA0000-memory.dmp

Filesize
64KB

Download
memory/1928-8-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-12-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-56-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-57-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-58-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-53-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-46-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-70-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-2-0x00007FFA51E90000-0x00007FFA51EA0000-memory.dmp

Filesize
64KB

Download
memory/1928-103-0x00007FFA91EAD000-0x00007FFA91EAE000-memory.dmp

Filesize
4KB

Download
memory/1928-104-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-105-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-106-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-107-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-108-0x00007FFA91E10000-0x00007FFA92005000-memory.dmp

Filesize
2.0MB

Download
memory/1928-3-0x00007FFA51E90000-0x00007FFA51EA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads