Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2025, 13:02
Behavioral task
behavioral1
Sample
JaffaCakes118_74571c140b996d8a24dae2517a182d25.xls
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_74571c140b996d8a24dae2517a182d25.xls
Resource
win10v2004-20250313-en
General
-
Target
JaffaCakes118_74571c140b996d8a24dae2517a182d25.xls
-
Size
205KB
-
MD5
74571c140b996d8a24dae2517a182d25
-
SHA1
786b293d45773918b1fe8a8f9e355a4a4845fba8
-
SHA256
b91ff4b652f1096186b85933e56c53847efad80c9b43cafda49c1dfda9e79ad7
-
SHA512
15bddb8f5898e4fee3442fddff43d467bea06140e204bcff6e1ff681a207461cee925cc3e07ced5e6712b6d68361cc41fdfdb4804b2b9a29e357fe9ae80156b0
-
SSDEEP
6144:7vnRVTVDkdysFe71ERKXKhU3TZaA472byRW1N8xXImuForwR+RXgf5xSl7ZXGJwi:zRVTVDkdysFe71ERKXKhU3TZaA472byZ
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4900 4028 cmd.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4708 4028 cmd.exe 84 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5480 4028 cmd.exe 84 -
resource yara_rule behavioral2/files/0x000c0000000240cf-98.dat office_xlm_macros -
Deletes itself 1 IoCs
pid Process 4028 EXCEL.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\F8A75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4028 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4028 wrote to memory of 5480 4028 EXCEL.EXE 89 PID 4028 wrote to memory of 5480 4028 EXCEL.EXE 89 PID 4028 wrote to memory of 4708 4028 EXCEL.EXE 90 PID 4028 wrote to memory of 4708 4028 EXCEL.EXE 90 PID 4028 wrote to memory of 4900 4028 EXCEL.EXE 91 PID 4028 wrote to memory of 4900 4028 EXCEL.EXE 91 PID 5480 wrote to memory of 5544 5480 cmd.exe 95 PID 5480 wrote to memory of 5544 5480 cmd.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5544 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74571c140b996d8a24dae2517a182d25.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:4900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD53616b1394fe8c44067b15c8935467aef
SHA12bfc07400681c88b0e2720778aeed2e0c0cce7ca
SHA256dbca0805e1e32cf8cd05c7426e067ba54312c911a2691a32df99f72285aef298
SHA512b55fff8423d60ad86ba2a234e160fc49107486cc61438db5adbd74218e00e16b62637ab83a851e8db5b8daaaa889c676b7009f111933b853053e2a1b0f3c24e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize677B
MD57ddf6be6b6944327411b1ec56ebb187a
SHA1f4e32a0e4ccce301ab7567094f40721e2062101a
SHA256a1aefb23e4dc5618472a377acec11f8a156054f7c06861ceebe55c2f70e04ffc
SHA5127612acd6d02cd0ebdfa22729dd5515bf0fef072556970731118263411aef454e58bd942b3f17cc467a946d627134571f7b95dce00f79e1460d22337c3731d65f