Analysis
-
max time kernel
133s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 06:39
Behavioral task
behavioral1
Sample
JaffaCakes118_5d9ca7b8d7c51647d160ad28c959a323.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5d9ca7b8d7c51647d160ad28c959a323.xls
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_5d9ca7b8d7c51647d160ad28c959a323.xls
-
Size
103KB
-
MD5
5d9ca7b8d7c51647d160ad28c959a323
-
SHA1
69c3ecf4a9b75d59458cd64656bdd14801974ff4
-
SHA256
c7ffb21dc2ba8c2b66a11adfc5fd7973f28d12f09c38ca96028bd98edfc71ff9
-
SHA512
6492de4ff70dc8efa31f27031f5899b0a00eed3618f494583dbe98d3870b0f36e99f246bd02286d05014452c563782115ae4e3a045acab351f59709125841392
-
SSDEEP
1536:+qCelyuMAGEPtjHr2Dz3xx2WVbrzQ7ITX8NYabA23+9hY7nJdJoOd7cJtXwGCh:uTwtjHr2DbxIWVbrzQ7IToZW2AJtXwh
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4264 3328 cmd.exe 85 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2176 3328 cmd.exe 85 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2680 3328 cmd.exe 85 -
resource yara_rule behavioral2/files/0x000b000000023c08-105.dat office_xlm_macros -
Deletes itself 1 IoCs
pid Process 3328 EXCEL.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\64B75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3328 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE 3328 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3328 wrote to memory of 2680 3328 EXCEL.EXE 90 PID 3328 wrote to memory of 2680 3328 EXCEL.EXE 90 PID 3328 wrote to memory of 2176 3328 EXCEL.EXE 91 PID 3328 wrote to memory of 2176 3328 EXCEL.EXE 91 PID 3328 wrote to memory of 4264 3328 EXCEL.EXE 92 PID 3328 wrote to memory of 4264 3328 EXCEL.EXE 92 PID 2680 wrote to memory of 1884 2680 cmd.exe 96 PID 2680 wrote to memory of 1884 2680 cmd.exe 96 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1884 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d9ca7b8d7c51647d160ad28c959a323.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:4264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5a43cfa239acad432c4d237b0b82c2c73
SHA1627dfe320b21d339fd7979b42814dbdcf108d52f
SHA25635d0e6464f75008abbe8a01b3af03c37522ce07de8e37079effe4c5a98e315fa
SHA5123cab5520f8b5de235d8577faf916127529be4fcea7160eaefd7876be559687b0293d36308d2255f8fdd19ae020ff2e040acc84fe05ebcd017b556d4d34918f83
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD514d73058def05567558b66ead11438f3
SHA196edb39d0cd330bccb69eadb13ea2020b232af72
SHA2564fd23c0d47838f7844e9d28ba93b8fb0bf1ff7fcb0cdfe4882e6275fcafd0638
SHA512bd888e1ea8180bae61a5027719d74240b1c4396cd0b21d4ecc7134b7944886da092ca517f19c65c3e02c8b68e81a746ffdfcb605947aeb4b455eb83024dbf1f9