General

  • Target

    JaffaCakes118_8e6afc830e8e2f8e4bafe47772f9f601

  • Size

    2.5MB

  • Sample

    250323-nzvt6syyew

  • MD5

    8e6afc830e8e2f8e4bafe47772f9f601

  • SHA1

    a9e1e60e12dcca78ebbfb353b199d30d5871e8b3

  • SHA256

    5b838d9c51ae74156d6b890e1428d448cf4fedb90f156c9210908f899ce20d61

  • SHA512

    630a2d96b56689c83f1293bd590b72a1a72f34a024b254d2376fc3f60be4cb3febe0506c4ea06ff40777bfad21d1c0994e9e06d0323a4aee155c71b200c708ae

  • SSDEEP

    49152:OIsfezAtLf9APgLZyQOgbuk2ZShcbAi6qD56YeIrI6YzC40p+aASldkHG9xHYmKx:vEektDeBQ0ZSyAu6fEG0p+aA7sxyhdJr

Malware Config

Targets

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—1 封面.xls

    • Size

      16KB

    • MD5

      fa42f9991bc61cba919a49ce64ffccb0

    • SHA1

      174f51a556f225897368f825d1a57d254e1cab8a

    • SHA256

      6ed11f6cf7114f29ba3fe4bdc02607cf893654fdf3aa8beffdf4380567729031

    • SHA512

      ca7c7dcde534465a043077782d97d8c37468cbf158b6ce04b00fb89009ed8870695420a08f382d272c852dfa429c7ce74d3f3d6372f80358c0c139e5da1c8f48

    • SSDEEP

      96:KYhZ2G2pBOVR2lNIUmdjqYwIZRR6jycvyxKzQcboHeZl9egqT:KYhZ2G2pBWR2THhj/vyygxg4

    Score
    3/10
    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—10 主要材料设备价格表.xls

    • Size

      79KB

    • MD5

      b91e3296b0adc26b052fedba3ef1e894

    • SHA1

      217704bc48d518bf75fd9630a28435705a5b7023

    • SHA256

      2757db58c63e0eb7c609cdaa4339194c604c9b9cb1884f39878874ebd8c38d87

    • SHA512

      e08b52bc3d349d1d3bd2b07eebe8ad1c9beefc0db57818de203d37659d41880f8adb825dbe57be992ff3a7f9a267f4a0490f12a9ba432c34b6d2881b6f1ee854

    • SSDEEP

      1536:ptq7CX+7uNKx2jcc0lbxOqTgZIIhY7nJdJoOd7cJtXwmF3:Q2jcc0lbxOK82AJtXwS3

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—5 单位工程招标控制价汇总表.xls

    • Size

      85KB

    • MD5

      70314a065296a82e233001ada0ab559f

    • SHA1

      7fe7c0500580062b0ccbb6774ceebce1ad088d67

    • SHA256

      a06acb8782ea7129e3ecf74c3dc982c73c4e041e51a702dec4c7ceeb8b728e66

    • SHA512

      abd1efbc567d66d92129e618bb767d52ceda59ba2542ba6ad4eb7ccff62f847177ac732a62134b8cfced80d5a5def66aac358fb4534558fa985d044b877d32bc

    • SSDEEP

      1536:cpMWVqWVbrzQ7ITkVFtI9NA23NP2iY7nJdJoOd7cJwXw62te:lWVbrzQ7ITkju1t2rAJwXwnte

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—6 分部分项工程计价表.xls

    • Size

      81KB

    • MD5

      1f5149706e222ccf2931e1e318b5a85c

    • SHA1

      c4976b72b423112a50548d679e206e16ca73dd80

    • SHA256

      c2c1f3de7093e47a560941f6f0eb09d38dce8cb1adc89bc20e67b72c13e07de3

    • SHA512

      a8dff0d2e8e7272e2c5af8dffe1138c8053f990d38d60ea436424d778ee18a8d9b04bfd4bb5867dcd92d6e960610cec6b3f316f75bc3c95556370f18ce0dbdd9

    • SSDEEP

      1536:xhx7NhKz2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXw24j:02jcc0lbxOK22AJtXwrj

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/10#水窦/表3—8 综合单价分析表(二).xls

    • Size

      206KB

    • MD5

      a7de08c94a2174316f72af1b0f1308f8

    • SHA1

      8fe789d857770aae1d7d377ac4f67f561a7204b0

    • SHA256

      5c9bc57dd7173b2e99c341ad0f315e0cc43b552835709533668cf74337122264

    • SHA512

      1b5dedf269120f33e78c94d7a80ebf57e783b067f957717c5668994f8a3ea1e0adbe8848690bd0dffa0aaa7e3810c9ef1b0903e5d05159847ff59e6f2fe1c9a6

    • SSDEEP

      3072:uadSAvhOH0tJQyvp2xahBRbhaoJMCtBwwuzhR/z2jcc0lbxOK22AJtXwQ26:u0Msn9AmM2wwuzhpp2Z

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—1 封面.xls

    • Size

      16KB

    • MD5

      107fcba4b4e0dd50a24aeeb3c9fec45a

    • SHA1

      241e10332826e56812d83b33eef4f2a32e792d4a

    • SHA256

      bd68adb6a55d24c3630c15aa52a017fc582ef5d809dbf2134d341e7d2ed10814

    • SHA512

      8efd5d2d188006d9870b5d3638a590b18b1d613e1aeaa2d17745d1268ea525025f32298ab863aeea31f4b571ebf0d44270a3e54f6cbf0ba3a540d17c8f19cc28

    • SSDEEP

      96:KYhZ2G2pBOVR2lNIUmdjqYwIZRiQ6RycvyxKz/cb2BaZHeZlQegRT:KYhZ2G2pBWR2THLR/vyy6egJ

    Score
    3/10
    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—10 主要材料设备价格表.xls

    • Size

      79KB

    • MD5

      015ae90f54a4befe2e78f03a371fba88

    • SHA1

      ae7ff662e973fd8717eaffd7a6a3843bf32bc820

    • SHA256

      600f1d516634f1d82ebceea80d8284d3047a02135bea61d2759eabecba432a7d

    • SHA512

      180551c51e32b53945e0846eed7e89c82a8f6a9fb39689515aa4bfca062891b33dad9dde98d0a2135f9e68620210d1f77be19a191f23fab91745e93d778268b5

    • SSDEEP

      1536:yg9bKTI3W4vXKV2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwu/U:ycC2jcc0lbxOK22AJtXwQU

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—5 单位工程招标控制价汇总表.xls

    • Size

      85KB

    • MD5

      4e9531c06788a10608ca1453940bb580

    • SHA1

      8a4af8a14a65d724f21e19ea3bebaa0b64659002

    • SHA256

      5427b4f6cced31188039f01a7e12ae4fc48ef7b26bc72bb587f0a749418125fb

    • SHA512

      cbd3b20ecdc4e598e9d6ad3e5716014f45e95c0e67e1f94cd5d3b90f0e9f295263cfe559287b17be164e28aca35dabdb336c55c916024d5fff72ae0302f63928

    • SSDEEP

      1536:BBpDFqWVbrzQ7ITkbMtIh3IA23KkvY7nJdJoOd7cJwXwq0h:eWVbrzQ7ITk4uQnUAJwXw3h

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—6 分部分项工程计价表.xls

    • Size

      81KB

    • MD5

      ef6c10fbe4aa129c5367ab7d7934dee3

    • SHA1

      e89357c4c57eeb99735531ee77d7d738f0de3e00

    • SHA256

      4023ff7e11e473df94f16e6aa46ed18a1a81f66046f317af9e7f79dccbf960c7

    • SHA512

      924b923c86806fdc1b1044e954973ce2df0226eb4c39796f92894f4b9f57241d72f8dd01f240e6f9411b273de8b2e88e6861d61485c4884bf307f70f89e6df13

    • SSDEEP

      1536:BRIKgHKB2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwZUv:l2jcc0lbxOK22AJtXwev

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/11#水窦/表3—8 综合单价分析表(二).xls

    • Size

      204KB

    • MD5

      7f470e80fed9a8df2abb69f16b0f7edf

    • SHA1

      caced60386bd385955ade0212074f42ec17c2f3a

    • SHA256

      0111532438420dc255666edd0d5b77094387acdc59e0430a7f7963b37865e2c5

    • SHA512

      9891c07e6d09acddc2ffbcc9742d3ee0c4d15f4cdb8c37c8afe6be3a4bfa228554c3862c953d6d8bf9a040185369e4fab23e99fb97f3864246cdc077a7af5498

    • SSDEEP

      3072:VSAvhOH0tJEvThBahBRbO+xGJMNdr7TzzhR/s2jcc0lbxOK22AJtXw6o:VScn93SM/7Tzzhp22

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—1 封面.xls

    • Size

      16KB

    • MD5

      4edbd69a423eb4ab2d9443369b06dc16

    • SHA1

      e834eec7174348bc68bdb6080130e69d698d38da

    • SHA256

      aa7c652f6c50e719c2c53b0a0b587f7048683ba1b9c5f95ad0e9d143e38dc80f

    • SHA512

      07accd9453c056c647b10d6f25f07f6b99019cd5786f1f152a8c08a9d16f9c86605fdaab4cc7a5e5332b18d5c5472917ce063447d7ea4afbc018b47bf3fa62b3

    • SSDEEP

      96:KYhZ2G2pBOVR2lNIUmdjqYU3IZRR6UcvyxKz1cb2B+hHeZl5egUT:KYhZ2G2pBWR2TH9Vvyyih1g+

    Score
    3/10
    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—10 主要材料设备价格表.xls

    • Size

      79KB

    • MD5

      03779034f32ca9be8705830f1f18bf86

    • SHA1

      7546306708c1e7019209efcbfa2c3604b244999c

    • SHA256

      cce58918f4aea81c43b6ef48dc5a124cd0666ddf5990477c307be0acfdabfd75

    • SHA512

      2575aedbac84c1297efe657c7a5829d529011562a4a97abfee4a544bdec490ec82d66d913f0b2e6c71aa8127c004ac90a065a1604b11a08149b6b156fcb94d01

    • SSDEEP

      1536:+9bKTZU4T/Kr2jcc0lbxOqTgZuIhY7nJdJoOd7cJtXwg7p:i2jcc0lbxOK22AJtXwSp

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—5 单位工程招标控制价汇总表.xls

    • Size

      78KB

    • MD5

      f23cb9cb79c7621d7879d5b7eb30cb06

    • SHA1

      cc56d48fbe3a8ce2e809008543d2fea7cc93e44d

    • SHA256

      2d0da9853e98047377326446827da4f9e6ec732f757be7c42eb13d95195814f7

    • SHA512

      c14be9fe72bdbd5f8310531bfcaefa74f3d59732ce45a65c9410d8c5b66f9c1ccfe154810a3ae161588f378e23b75636d005312f61d49a8399d744efd768f792

    • SSDEEP

      1536:wRAysHgO2jcc0lbxOqTgZ7IhY7nJdJoOd7cJtXwH3SU:eO2jcc0lbxOK92AJtXwXSU

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—6 分部分项工程计价表.xls

    • Size

      81KB

    • MD5

      0d291537914a40e012a0b0abb663ab58

    • SHA1

      c30a93854a2e2bd3689f72bc2c542ea7dbdf508d

    • SHA256

      8269b93e37f797cdb84efdc5b339ad9dde07cb7c7067bd2e0467be4ba6a998be

    • SHA512

      b0abcfe6777eba5d65900cf1ebef4921067506573ab0a723cda75720af661713fb5a08ed0807677fe280b715ad8c12e308706e8b521ed38f4a6e4f9e4da9a467

    • SSDEEP

      1536:nxQCOzMK42jcc0lbxOqTgZfIhY7nJdJoOd7cJtXwLmx:T2jcc0lbxOKp2AJtXwSx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/12#水窦/表3—8 综合单价分析表(二).xls

    • Size

      204KB

    • MD5

      a09207992bf95b6f16040bdf04cfc1f4

    • SHA1

      494c04f103db5da227a76cbcedf7c1dc8a77877e

    • SHA256

      55b4dadfc53e3677fdfec468e8e66a016023705570f74f510e855cfeb4e7c8f6

    • SHA512

      c3de73d88b51f7f3bbf4c7ada5a680d3e399a2c73d3f227f4cc32ca9a22671530aaaa2b3ffe11c66f0f546e4a03f7bf42195cfa8dd9d405b888fcadb03e536e1

    • SSDEEP

      3072:3wNfSAmhOH0tGQyvUVxahBRbsl1MMXGFfwEzhR/m2jcc0lbxOK82AJtXwee:Ufksn97MwfwEzhpC2

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Deletes itself

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      南沙万顷沙镇水窦工程量清单/南沙万顷沙镇水窦/13#水窦/表3—1 封面.xls

    • Size

      16KB

    • MD5

      b8e0608b433b903fa8b477d54224229c

    • SHA1

      8e606cea7f9f820a661340fbe4d145abaf0fccf8

    • SHA256

      ced7f8d7c3bc563e0cc436386301359d6701ef152e46544dad23b1d6743d307f

    • SHA512

      4eae2cc2a1ccda10d7e03644e6002349731001ad1c07940a7c2ec7472617e666d6a699fca6a5588e4f40292880ddaa3700383fc0b52283c680a96d97f65818cb

    • SSDEEP

      96:KYhZ2G2pBOVR2lNIUmdjqYSIZRR6ocvyxKzAcb6RdHeZf0egoT:KYhZ2G2pBWR2THDRvyyWEga

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

macroxlm
Score
8/10

behavioral1

discovery
Score
3/10

behavioral2

Score
1/10

behavioral3

defense_evasiondiscovery
Score
10/10

behavioral4

defense_evasionmacroxlm
Score
10/10

behavioral5

defense_evasiondiscovery
Score
10/10

behavioral6

defense_evasionmacroxlm
Score
8/10

behavioral7

defense_evasiondiscovery
Score
10/10

behavioral8

defense_evasionmacroxlm
Score
10/10

behavioral9

defense_evasiondiscovery
Score
10/10

behavioral10

defense_evasionmacroxlm
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

Score
1/10

behavioral13

defense_evasiondiscovery
Score
10/10

behavioral14

defense_evasionmacroxlm
Score
8/10

behavioral15

defense_evasiondiscovery
Score
10/10

behavioral16

Score
1/10

behavioral17

defense_evasiondiscovery
Score
10/10

behavioral18

defense_evasionmacroxlm
Score
10/10

behavioral19

defense_evasiondiscovery
Score
10/10

behavioral20

defense_evasionmacroxlm
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

Score
1/10

behavioral23

defense_evasiondiscovery
Score
10/10

behavioral24

defense_evasionmacroxlm
Score
10/10

behavioral25

defense_evasiondiscovery
Score
10/10

behavioral26

Score
6/10

behavioral27

defense_evasiondiscovery
Score
10/10

behavioral28

defense_evasionmacroxlm
Score
10/10

behavioral29

defense_evasiondiscovery
Score
10/10

behavioral30

defense_evasionmacroxlm
Score
8/10

behavioral31

discovery
Score
3/10

behavioral32

Score
1/10