1354e719634665581d78f9f833a098c76ebf96b4f31bd183f4cf4a9671f40bba

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5a5fc84085509e2b07953f02928d2d3e.xls
Size

58KB
MD5

5a5fc84085509e2b07953f02928d2d3e
SHA1

841f4c19e6d5ad16d8d47f0513633a06b3d65a41
SHA256

1354e719634665581d78f9f833a098c76ebf96b4f31bd183f4cf4a9671f40bba
SHA512

b1079818ff4a0256b66e0681b8dec036350f9220441c15e3f4b1edfc9e49f71f5eb4aeae3835c56e837e263df42007968eb19bb6a77d7c673e84a37107d06ae3
SSDEEP

768:2BVM1LrYN1RwKz4glbzl4bTHqE0cwGiEdbC3WNQPPBLxW+EVWjBHQQBjt:+0gn2Tt0cwGiEd23WNQPPBc+2W5Q

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1976	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a5fc84085509e2b07953f02928d2d3e.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VBC3ED.tmp

Filesize
1KB

MD5
da6d606ab9dc75398f92529cb2e4950c

SHA1
afbe0893248bf63c313119d30e7d6eab629ec2fe

SHA256
4376682595f7be193c54f7a618ecb2d4a84fc42f7ecdcc2e279b8f2fc18f50fe

SHA512
24de56dfa1401a0af40a015596f480115dbe8db54675a0b45e3dd60e5d98e504165abdcb17568ac71be2374fe1b618008f59fef122189f75f048760aaaad5531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
7KB

MD5
1161f9a47ccdbdfc62e7b94882d41fd1

SHA1
bfed47cbacdaf93a601e3d1099ab1dbdbf7ee81d

SHA256
31ce9ab49f386096dd394627d6632b72942ff9a458933444ec77044cff62bef0

SHA512
b2d377de51206168d55b589a6adf6ba3f4cd44d5e49b2638a92160a2051362be0865372b961d4fa77c2b0958f13886c0d619c8990966bc051b3c4592af07807a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
7KB

MD5
e76f0d11e5babeb2d79f55d8307e7829

SHA1
6fb1e5ffdde6e20d804ab3a9e83ab16ccba98111

SHA256
6cbf57f85655a56232767622e851b8c34c076851af529f00ede07c3103f59d9c

SHA512
96252b05e115fca39704f342b3ed9bddf3d5d3d34693e3c81bf113b2327a9719fe70247583d74d0b466d54c6d72c2145684104c6d532019eab4695f6b8a71eea

Download Submit
memory/1976-1-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/1976-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-6-0x00000000066A0000-0x00000000067A0000-memory.dmp

Filesize
1024KB

Download
memory/1976-58-0x00000000066A0000-0x00000000067A0000-memory.dmp

Filesize
1024KB

Download
memory/1976-59-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/1976-60-0x00000000066A0000-0x00000000067A0000-memory.dmp

Filesize
1024KB

Download
memory/1976-61-0x00000000066A0000-0x00000000067A0000-memory.dmp

Filesize
1024KB

Download