5b838d9c51ae74156d6b890e1428d448cf4fedb90f156c9210908f899ce20d61

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_8e6afc830e8e2f8e4bafe47772f9f601
Size

2.5MB
Sample

250323-nzvt6syyew
MD5

8e6afc830e8e2f8e4bafe47772f9f601
SHA1

a9e1e60e12dcca78ebbfb353b199d30d5871e8b3
SHA256

5b838d9c51ae74156d6b890e1428d448cf4fedb90f156c9210908f899ce20d61
SHA512

630a2d96b56689c83f1293bd590b72a1a72f34a024b254d2376fc3f60be4cb3febe0506c4ea06ff40777bfad21d1c0994e9e06d0323a4aee155c71b200c708ae
SSDEEP

49152:OIsfezAtLf9APgLZyQOgbuk2ZShcbAi6qD56YeIrI6YzC40p+aASldkHG9xHYmKx:vEektDeBQ0ZSyAu6fEG0p+aA7sxyhdJr

Score

10^/10

Malware Config

Targets

- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—1 封面.xls
- Size
  
  16KB
- MD5
  
  fa42f9991bc61cba919a49ce64ffccb0
- SHA1
  
  174f51a556f225897368f825d1a57d254e1cab8a
- SHA256
  
  6ed11f6cf7114f29ba3fe4bdc02607cf893654fdf3aa8beffdf4380567729031
- SHA512
  
  ca7c7dcde534465a043077782d97d8c37468cbf158b6ce04b00fb89009ed8870695420a08f382d272c852dfa429c7ce74d3f3d6372f80358c0c139e5da1c8f48
- SSDEEP
  
  96:KYhZ2G2pBOVR2lNIUmdjqYwIZRR6jycvyxKzQcboHeZl9egqT:KYhZ2G2pBWR2THhj/vyygxg4
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—10 主要材料设备价格表.xls
- Size
  
  79KB
- MD5
  
  b91e3296b0adc26b052fedba3ef1e894
- SHA1
  
  217704bc48d518bf75fd9630a28435705a5b7023
- SHA256
  
  2757db58c63e0eb7c609cdaa4339194c604c9b9cb1884f39878874ebd8c38d87
- SHA512
  
  e08b52bc3d349d1d3bd2b07eebe8ad1c9beefc0db57818de203d37659d41880f8adb825dbe57be992ff3a7f9a267f4a0490f12a9ba432c34b6d2881b6f1ee854
- SSDEEP
  
  1536:ptq7CX+7uNKx2jcc0lbxOqTgZIIhY7nJdJoOd7cJtXwmF3:Q2jcc0lbxOK82AJtXwS3
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral3 behavioral4
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—5 单位工程招标控制价汇总表.xls
- Size
  
  85KB
- MD5
  
  70314a065296a82e233001ada0ab559f
- SHA1
  
  7fe7c0500580062b0ccbb6774ceebce1ad088d67
- SHA256
  
  a06acb8782ea7129e3ecf74c3dc982c73c4e041e51a702dec4c7ceeb8b728e66
- SHA512
  
  abd1efbc567d66d92129e618bb767d52ceda59ba2542ba6ad4eb7ccff62f847177ac732a62134b8cfced80d5a5def66aac358fb4534558fa985d044b877d32bc
- SSDEEP
  
  1536:cpMWVqWVbrzQ7ITkVFtI9NA23NP2iY7nJdJoOd7cJwXw62te:lWVbrzQ7ITkju1t2rAJwXwnte
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral5 behavioral6
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—6 分部分项工程计价表.xls
- Size
  
  81KB
- MD5
  
  1f5149706e222ccf2931e1e318b5a85c
- SHA1
  
  c4976b72b423112a50548d679e206e16ca73dd80
- SHA256
  
  c2c1f3de7093e47a560941f6f0eb09d38dce8cb1adc89bc20e67b72c13e07de3
- SHA512
  
  a8dff0d2e8e7272e2c5af8dffe1138c8053f990d38d60ea436424d778ee18a8d9b04bfd4bb5867dcd92d6e960610cec6b3f316f75bc3c95556370f18ce0dbdd9
- SSDEEP
  
  1536:xhx7NhKz2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXw24j:02jcc0lbxOK22AJtXwrj
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral7 behavioral8
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—8 综合单价分析表（二）.xls
- Size
  
  206KB
- MD5
  
  a7de08c94a2174316f72af1b0f1308f8
- SHA1
  
  8fe789d857770aae1d7d377ac4f67f561a7204b0
- SHA256
  
  5c9bc57dd7173b2e99c341ad0f315e0cc43b552835709533668cf74337122264
- SHA512
  
  1b5dedf269120f33e78c94d7a80ebf57e783b067f957717c5668994f8a3ea1e0adbe8848690bd0dffa0aaa7e3810c9ef1b0903e5d05159847ff59e6f2fe1c9a6
- SSDEEP
  
  3072:uadSAvhOH0tJQyvp2xahBRbhaoJMCtBwwuzhR/z2jcc0lbxOK22AJtXwQ26:u0Msn9AmM2wwuzhpp2Z
Score

10^/10

defense_evasion macro xlm discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral10 behavioral9
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—1 封面.xls
- Size
  
  16KB
- MD5
  
  107fcba4b4e0dd50a24aeeb3c9fec45a
- SHA1
  
  241e10332826e56812d83b33eef4f2a32e792d4a
- SHA256
  
  bd68adb6a55d24c3630c15aa52a017fc582ef5d809dbf2134d341e7d2ed10814
- SHA512
  
  8efd5d2d188006d9870b5d3638a590b18b1d613e1aeaa2d17745d1268ea525025f32298ab863aeea31f4b571ebf0d44270a3e54f6cbf0ba3a540d17c8f19cc28
- SSDEEP
  
  96:KYhZ2G2pBOVR2lNIUmdjqYwIZRiQ6RycvyxKz/cb2BaZHeZlQegRT:KYhZ2G2pBWR2THLR/vyy6egJ
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—10 主要材料设备价格表.xls
- Size
  
  79KB
- MD5
  
  015ae90f54a4befe2e78f03a371fba88
- SHA1
  
  ae7ff662e973fd8717eaffd7a6a3843bf32bc820
- SHA256
  
  600f1d516634f1d82ebceea80d8284d3047a02135bea61d2759eabecba432a7d
- SHA512
  
  180551c51e32b53945e0846eed7e89c82a8f6a9fb39689515aa4bfca062891b33dad9dde98d0a2135f9e68620210d1f77be19a191f23fab91745e93d778268b5
- SSDEEP
  
  1536:yg9bKTI3W4vXKV2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwu/U:ycC2jcc0lbxOK22AJtXwQU
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral13 behavioral14
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—5 单位工程招标控制价汇总表.xls
- Size
  
  85KB
- MD5
  
  4e9531c06788a10608ca1453940bb580
- SHA1
  
  8a4af8a14a65d724f21e19ea3bebaa0b64659002
- SHA256
  
  5427b4f6cced31188039f01a7e12ae4fc48ef7b26bc72bb587f0a749418125fb
- SHA512
  
  cbd3b20ecdc4e598e9d6ad3e5716014f45e95c0e67e1f94cd5d3b90f0e9f295263cfe559287b17be164e28aca35dabdb336c55c916024d5fff72ae0302f63928
- SSDEEP
  
  1536:BBpDFqWVbrzQ7ITkbMtIh3IA23KkvY7nJdJoOd7cJwXwq0h:eWVbrzQ7ITk4uQnUAJwXw3h
Score

10^/10

defense_evasion discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral15 behavioral16
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—6 分部分项工程计价表.xls
- Size
  
  81KB
- MD5
  
  ef6c10fbe4aa129c5367ab7d7934dee3
- SHA1
  
  e89357c4c57eeb99735531ee77d7d738f0de3e00
- SHA256
  
  4023ff7e11e473df94f16e6aa46ed18a1a81f66046f317af9e7f79dccbf960c7
- SHA512
  
  924b923c86806fdc1b1044e954973ce2df0226eb4c39796f92894f4b9f57241d72f8dd01f240e6f9411b273de8b2e88e6861d61485c4884bf307f70f89e6df13
- SSDEEP
  
  1536:BRIKgHKB2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwZUv:l2jcc0lbxOK22AJtXwev
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral17 behavioral18
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—8 综合单价分析表（二）.xls
- Size
  
  204KB
- MD5
  
  7f470e80fed9a8df2abb69f16b0f7edf
- SHA1
  
  caced60386bd385955ade0212074f42ec17c2f3a
- SHA256
  
  0111532438420dc255666edd0d5b77094387acdc59e0430a7f7963b37865e2c5
- SHA512
  
  9891c07e6d09acddc2ffbcc9742d3ee0c4d15f4cdb8c37c8afe6be3a4bfa228554c3862c953d6d8bf9a040185369e4fab23e99fb97f3864246cdc077a7af5498
- SSDEEP
  
  3072:VSAvhOH0tJEvThBahBRbO+xGJMNdr7TzzhR/s2jcc0lbxOK22AJtXw6o:VScn93SM/7Tzzhp22
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral19 behavioral20
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—1 封面.xls
- Size
  
  16KB
- MD5
  
  4edbd69a423eb4ab2d9443369b06dc16
- SHA1
  
  e834eec7174348bc68bdb6080130e69d698d38da
- SHA256
  
  aa7c652f6c50e719c2c53b0a0b587f7048683ba1b9c5f95ad0e9d143e38dc80f
- SHA512
  
  07accd9453c056c647b10d6f25f07f6b99019cd5786f1f152a8c08a9d16f9c86605fdaab4cc7a5e5332b18d5c5472917ce063447d7ea4afbc018b47bf3fa62b3
- SSDEEP
  
  96:KYhZ2G2pBOVR2lNIUmdjqYU3IZRR6UcvyxKz1cb2B+hHeZl5egUT:KYhZ2G2pBWR2TH9Vvyyih1g+
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—10 主要材料设备价格表.xls
- Size
  
  79KB
- MD5
  
  03779034f32ca9be8705830f1f18bf86
- SHA1
  
  7546306708c1e7019209efcbfa2c3604b244999c
- SHA256
  
  cce58918f4aea81c43b6ef48dc5a124cd0666ddf5990477c307be0acfdabfd75
- SHA512
  
  2575aedbac84c1297efe657c7a5829d529011562a4a97abfee4a544bdec490ec82d66d913f0b2e6c71aa8127c004ac90a065a1604b11a08149b6b156fcb94d01
- SSDEEP
  
  1536:+9bKTZU4T/Kr2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwg7p:i2jcc0lbxOK22AJtXwSp
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral23 behavioral24
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—5 单位工程招标控制价汇总表.xls
- Size
  
  78KB
- MD5
  
  f23cb9cb79c7621d7879d5b7eb30cb06
- SHA1
  
  cc56d48fbe3a8ce2e809008543d2fea7cc93e44d
- SHA256
  
  2d0da9853e98047377326446827da4f9e6ec732f757be7c42eb13d95195814f7
- SHA512
  
  c14be9fe72bdbd5f8310531bfcaefa74f3d59732ce45a65c9410d8c5b66f9c1ccfe154810a3ae161588f378e23b75636d005312f61d49a8399d744efd768f792
- SSDEEP
  
  1536:wRAysHgO2jcc0lbxOqTgZ7IhY7nJdJoOd7cJtXwH3SU:eO2jcc0lbxOK92AJtXwXSU
Score

10^/10

defense_evasion discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral25 behavioral26
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—6 分部分项工程计价表.xls
- Size
  
  81KB
- MD5
  
  0d291537914a40e012a0b0abb663ab58
- SHA1
  
  c30a93854a2e2bd3689f72bc2c542ea7dbdf508d
- SHA256
  
  8269b93e37f797cdb84efdc5b339ad9dde07cb7c7067bd2e0467be4ba6a998be
- SHA512
  
  b0abcfe6777eba5d65900cf1ebef4921067506573ab0a723cda75720af661713fb5a08ed0807677fe280b715ad8c12e308706e8b521ed38f4a6e4f9e4da9a467
- SSDEEP
  
  1536:nxQCOzMK42jcc0lbxOqTgZfIhY7nJdJoOd7cJtXwLmx:T2jcc0lbxOKp2AJtXwSx
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral27 behavioral28
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—8 综合单价分析表（二）.xls
- Size
  
  204KB
- MD5
  
  a09207992bf95b6f16040bdf04cfc1f4
- SHA1
  
  494c04f103db5da227a76cbcedf7c1dc8a77877e
- SHA256
  
  55b4dadfc53e3677fdfec468e8e66a016023705570f74f510e855cfeb4e7c8f6
- SHA512
  
  c3de73d88b51f7f3bbf4c7ada5a680d3e399a2c73d3f227f4cc32ca9a22671530aaaa2b3ffe11c66f0f546e4a03f7bf42195cfa8dd9d405b888fcadb03e536e1
- SSDEEP
  
  3072:3wNfSAmhOH0tGQyvUVxahBRbsl1MMXGFfwEzhR/m2jcc0lbxOK82AJtXwee:Ufksn97MwfwEzhpC2
Score

10^/10

defense_evasion discovery macro xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral29 behavioral30
- Target
  
  南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/13#水窦/表3—1 封面.xls
- Size
  
  16KB
- MD5
  
  b8e0608b433b903fa8b477d54224229c
- SHA1
  
  8e606cea7f9f820a661340fbe4d145abaf0fccf8
- SHA256
  
  ced7f8d7c3bc563e0cc436386301359d6701ef152e46544dad23b1d6743d307f
- SHA512
  
  4eae2cc2a1ccda10d7e03644e6002349731001ad1c07940a7c2ec7472617e666d6a699fca6a5588e4f40292880ddaa3700383fc0b52283c680a96d97f65818cb
- SSDEEP
  
  96:KYhZ2G2pBOVR2lNIUmdjqYSIZRR6ocvyxKzAcb6RdHeZf0egoT:KYhZ2G2pBWR2THDRvyyWEga
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Deletes itself

Indicator Removal: File Deletion

Process spawned suspicious child process

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Indicator Removal: File Deletion

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26