0fe6d78e321028b931c3c1dbc467b2db424a333803f06db7f60311d11b15917f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6b2b9d42581d755c3f423a3a273796f5.xls
Size

296KB
MD5

6b2b9d42581d755c3f423a3a273796f5
SHA1

cfdc7aa01f169b4995d7f4dea63fe88264ba5069
SHA256

0fe6d78e321028b931c3c1dbc467b2db424a333803f06db7f60311d11b15917f
SHA512

1657ee63f2fcff6febbe6020bc9a602c259bf9d53ad6b2a4cbed1cdd6f42ec384c6bd90b9ca9b2b54e1328225364ff6ee81bcd52d14fca6e2ca41da24aa3f80a
SSDEEP

6144:rf5VC9ECYkyTClYAZfcBvEHVwbPgcUk9l0uq0l+65Xo/5jW:rfD1CWWEiybPgz5M2/5

Score

10^/10

defense_evasion discovery macro macro_on_action persistence xlm

Malware Config

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2212	2956	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2796	2956	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2564	2956	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2712	2956	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2424	2956	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2120	2956	cmd.exe	30

Office macro that triggers on suspicious action 2 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x00070000000173a7-30.dat	office_macro_on_action
behavioral1/files/0x00050000000186e4-56.dat	office_macro_on_action

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1948	attrib.exe
1696	attrib.exe

Suspicious Office macro 2 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x00070000000173a7-30.dat	office_xlm_macros
behavioral1/files/0x00050000000186e4-56.dat	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet.exe = "internet.exe"	EXCEL.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\internet.exe	EXCEL.EXE

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2956	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2956	EXCEL.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE
2956	EXCEL.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2212	2956	EXCEL.EXE	31
PID 2956 wrote to memory of 2212	2956	EXCEL.EXE	31
PID 2956 wrote to memory of 2212	2956	EXCEL.EXE	31
PID 2956 wrote to memory of 2212	2956	EXCEL.EXE	31
PID 2212 wrote to memory of 2384	2212	cmd.exe	33
PID 2212 wrote to memory of 2384	2212	cmd.exe	33
PID 2212 wrote to memory of 2384	2212	cmd.exe	33
PID 2212 wrote to memory of 2384	2212	cmd.exe	33
PID 2956 wrote to memory of 2796	2956	EXCEL.EXE	34
PID 2956 wrote to memory of 2796	2956	EXCEL.EXE	34
PID 2956 wrote to memory of 2796	2956	EXCEL.EXE	34
PID 2956 wrote to memory of 2796	2956	EXCEL.EXE	34
PID 2796 wrote to memory of 2568	2796	cmd.exe	36
PID 2796 wrote to memory of 2568	2796	cmd.exe	36
PID 2796 wrote to memory of 2568	2796	cmd.exe	36
PID 2796 wrote to memory of 2568	2796	cmd.exe	36
PID 2956 wrote to memory of 2564	2956	EXCEL.EXE	37
PID 2956 wrote to memory of 2564	2956	EXCEL.EXE	37
PID 2956 wrote to memory of 2564	2956	EXCEL.EXE	37
PID 2956 wrote to memory of 2564	2956	EXCEL.EXE	37
PID 2564 wrote to memory of 2716	2564	cmd.exe	39
PID 2564 wrote to memory of 2716	2564	cmd.exe	39
PID 2564 wrote to memory of 2716	2564	cmd.exe	39
PID 2564 wrote to memory of 2716	2564	cmd.exe	39
PID 2956 wrote to memory of 2712	2956	EXCEL.EXE	40
PID 2956 wrote to memory of 2712	2956	EXCEL.EXE	40
PID 2956 wrote to memory of 2712	2956	EXCEL.EXE	40
PID 2956 wrote to memory of 2712	2956	EXCEL.EXE	40
PID 2956 wrote to memory of 2424	2956	EXCEL.EXE	43
PID 2956 wrote to memory of 2424	2956	EXCEL.EXE	43
PID 2956 wrote to memory of 2424	2956	EXCEL.EXE	43
PID 2956 wrote to memory of 2424	2956	EXCEL.EXE	43
PID 2424 wrote to memory of 1948	2424	cmd.exe	45
PID 2424 wrote to memory of 1948	2424	cmd.exe	45
PID 2424 wrote to memory of 1948	2424	cmd.exe	45
PID 2424 wrote to memory of 1948	2424	cmd.exe	45
PID 2956 wrote to memory of 2120	2956	EXCEL.EXE	46
PID 2956 wrote to memory of 2120	2956	EXCEL.EXE	46
PID 2956 wrote to memory of 2120	2956	EXCEL.EXE	46
PID 2956 wrote to memory of 2120	2956	EXCEL.EXE	46
PID 2120 wrote to memory of 1696	2120	cmd.exe	48
PID 2120 wrote to memory of 1696	2120	cmd.exe	48
PID 2120 wrote to memory of 1696	2120	cmd.exe	48
PID 2120 wrote to memory of 1696	2120	cmd.exe	48

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2384	attrib.exe
2568	attrib.exe
1948	attrib.exe
1696	attrib.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b2b9d42581d755c3f423a3a273796f5.xls
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c attrib -s -h c:\setflag.exe
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h c:\setflag.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c attrib -s -h c:\sendto.exe
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h c:\sendto.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c extrac32 /E /Y /L c:\ c:\cab.cab
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /E /Y /L c:\ c:\cab.cab
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c extract /E /Y /L c:\ c:\cab.cab
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c attrib +s +h c:\setflag.exe
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h c:\setflag.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c attrib +s +h c:\sendto.exe
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h c:\sendto.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1696

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\4F7DB5CE.tmp

Filesize
68KB

MD5
da4af52db88073fe00c604dad5a510b7

SHA1
139a3ce51d9db9035ecb93f77c8ff0cf1137b0af

SHA256
df29f8b39a3d1619e7c158fbe189b91747bf4e36e96f65cf48554db6ca42a2ce

SHA512
a5ecac22908ac7f83f6b97ed8a438e29b2452542d512ee06d959430c0e8019e831f1b8aad52fdfd39a870b69d8e5c155385aa25899257201a185d758252951ce

Download Submit
C:\sendto.exe

Filesize
20KB

MD5
56bafcef305ce46d847421edd6eec04b

SHA1
e6e31dda260fee10b63c4dd297b433749ea7ac07

SHA256
3c6d90fdf13ef66dd36631796cd50db01dfb8e2db5b472c45202513ab816f272

SHA512
c78210f40daa6e2827d1280eaca5ae22cf036d20ff802826171cfdaf2b64a011f32c8689eec174d3375e197b240e4c92a2fb466b01c66a96e9276cd1de160e20

Download Submit
C:\setflag.exe

Filesize
32KB

MD5
a4f9be8517afb4c5d9c63960a5faf258

SHA1
6d3300bfc43b191819f687df91bfbe2c6294d6bb

SHA256
78b6db289832df709d17fd5c49359ddfb9cacaa8303cd77290427bac4c829ba2

SHA512
c6c918bc91ed645553245cc640ed66882af264035732b8a8c2682f14a9c8f183c38837c1b3e62ca7d16e1560e6bc2a4273b41c9614a046752928c9a0c45ecb2e

Download Submit
\??\c:\cab.cab

Filesize
70KB

MD5
5a876443f36ca54efae1c723041435c0

SHA1
7ebd6188c3df725008209b7d24f914b2b3ce0a6c

SHA256
02397a86f99f98f212adee047d25c56fa6644a3cf6058ddb0da0221d708f1ee9

SHA512
a065a1ed747b8348c49c909e7186da584a3f01bca4652b154d5f7f88c4de15c5f0c03884db5cf33bca9035944cf5c7bc6983571301dd0fa4d7c298942887a149

Download Submit
\??\c:\internet.exe

Filesize
24KB

MD5
072ca9f791665febeacda1be1e71a124

SHA1
20d6d75ef7e06c72b43a2e3be81f5ceab11a1a5a

SHA256
692bfa3ca595a0ed57dd1d5fa6652332162c90ea0c9b8c9b32ddbebbec063f3d

SHA512
3cd1c0727085dcc054b1c9111c934fef3473d57a91e1e247418a220e35c59e495282740621d6c9c01c86a39ad4e5c79d7d95dbd289e25f044cfad1f616d52290

Download Submit
\??\c:\norma1.xlm

Filesize
68KB

MD5
3f08a7010fe4ea32b210b7919448ada6

SHA1
c7bc3bb8f78ef217b83c593542b5c4cf602746a2

SHA256
506260a97f723ce79e3243b651dc8af1c3fcdbf72431be60b1a0afbab8d2dce9

SHA512
be8ac3dcb6574e6876c2f8d2e40c1c6ad75ca611275ccc73c7283f6b17f3956c16c14d9dfa10e36576011baa691378a8ce6115e380b821a2d6f549ea46567b4c

Download Submit
\??\c:\normal.dot

Filesize
103KB

MD5
26ab77fe4d542805e0afdc9d0efc92c2

SHA1
332dc776b13e8f04809a312183ef9532ea2b18d3

SHA256
1cb2d969e56664ddc1f496c63e424cbe1ce2f560f8350f4ffa451f0fc03006d9

SHA512
ef439dbbe390eb175bd9970d76827a6b506b88a4db7cda233d8b6591b22e3c7a454cbb8111ca78dbbd6b195c91aa89c7d0c9df952052d3471eb07ac80f98b89a

Download Submit
memory/2604-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2956-1-0x0000000073A0D000-0x0000000073A18000-memory.dmp

Filesize
44KB

Download
memory/2956-6-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2956-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2956-60-0x0000000073A0D000-0x0000000073A18000-memory.dmp

Filesize
44KB

Download
memory/2956-61-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads