d6b9ba7711114e7e0fff780f4807474078b897e6e2d68989a63f5cc2a627124b

General

Target

e038e28f7a1788b1135d89552c71b937_JaffaCakes118.xls
Size

36KB
MD5

e038e28f7a1788b1135d89552c71b937
SHA1

f88bd72d4d3f40c9abccfb885775bdf3e934f729
SHA256

d6b9ba7711114e7e0fff780f4807474078b897e6e2d68989a63f5cc2a627124b
SHA512

fe565e834e1c92247f97c4ca98e490f0ef5bb5915ae469c8ff768fac69fd8c8d6241f51e3fea3a0301d7bff86a93b6e4198ed25c6a94bba4e4e4cce43e0e1139
SSDEEP

768:cPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJxAusmLqbfls:Iok3hbdlylKsgqopeJBWhZFGkE+cL2Na

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1216	4900	explorer.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4900	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4900	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4900	EXCEL.EXE
4900	EXCEL.EXE
4900	EXCEL.EXE
4900	EXCEL.EXE
4900	EXCEL.EXE
4900	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1216	4900	EXCEL.EXE	87
PID 4900 wrote to memory of 1216	4900	EXCEL.EXE	87
PID 384 wrote to memory of 1312	384	explorer.exe	89
PID 384 wrote to memory of 1312	384	explorer.exe	89

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e038e28f7a1788b1135d89552c71b937_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Public\Documents\m0M.vbs
  2⤵
  - Process spawned unexpected child process
  PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\m0M.vbs"
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\m0M.vbs

Filesize
548B

MD5
343b6a3319984b44a086e8a0cd927cd8

SHA1
3aedca56351ea8609301e0f4c8a7e09daa0b404a

SHA256
c6545d8df076cea6e855ee660a98336708960df66421374e163840fe364e3543

SHA512
3e0bc88124a345057d98f41de90e308ebe47c000b0cc022a35fb374eccbfdb887690506e099d11fe8ebbc40fd62fc3e6b88a6f9580be8b35ffa8cb33d9918758

Download Submit
memory/4900-11-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-14-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-1-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4900-6-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4900-8-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-7-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-12-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-10-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-0-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4900-16-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/4900-2-0x00007FFF476CD000-0x00007FFF476CE000-memory.dmp

Filesize
4KB

Download
memory/4900-13-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-15-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-17-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/4900-9-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-18-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-5-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-19-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-4-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4900-20-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-3-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4900-32-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4900-36-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads