220e19519e204c15d2ac8b39155e37d6775d73c131e3f339942b68d4547239d5

Analysis

max time kernel
106s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls
Size

44KB
MD5

8d938b2f2ba46ed3d82f5cbc52da35be
SHA1

e7ad11bfa000f82f818a536d5dfacc66c7146257
SHA256

220e19519e204c15d2ac8b39155e37d6775d73c131e3f339942b68d4547239d5
SHA512

a0af76076a7ce006f4632751b69efa3224597be803362dafbc6dea89cae848744a0ca7b1b8c3671429e81aa4cd0345b8ea1681493f5967f203c4d87bd5281d9c
SSDEEP

768:DTBI18WsJZayox5tWTDGCEJb0tx+MZl1AVS:DVy8WsJgyLCYlsS

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3884	EXCEL.EXE
4692	WINWORD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
3884	EXCEL.EXE
4692	WINWORD.EXE
4692	WINWORD.EXE
4692	WINWORD.EXE
2876	POWERPNT.EXE
4352	EXCEL.EXE
4352	EXCEL.EXE
4352	EXCEL.EXE
4352	EXCEL.EXE
4352	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d938b2f2ba46ed3d82f5cbc52da35be.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
d0af564b3b8c07150bcce7bc27706df4

SHA1
0b4bf37d61991bd3b8b492e78948f4524171c18c

SHA256
4b6471ff31994a9e95812118d6ad76d76cf524a0050f8e98f03cbcbc0ddf6145

SHA512
20b368814ea41a45484f7d5c46a31c15ec48be9c27b201aac286b9f161ded3480d04da1d0508a52398c9a5d067660abf8245d72110a6ec43af116d3a199ccbb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
24db6279b1dea48e7f76ee167c41055c

SHA1
37dcc3b90a76fa8f3a16c8adf446794fbd6340c0

SHA256
28c8ce857a74edfeccc6f4bb56d722584a03a0c3b8c9973663069b747f18986c

SHA512
6573205e31d3169f6e03a84cb8ab06b4174c9dcbe527d82101a005aeb16f7cad9c629ba3176b1dc3015a8de4cb594240a3086c8c70dfc53268382a455da87689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DAC258E2-3920-47BE-A726-A97825762044

Filesize
178KB

MD5
ca8586d3c05325a2849bd59af1a186ce

SHA1
d1e0572acccac58cf092e6d14fce757bf3b24bde

SHA256
4c73c2626c47f4762bfeff27abb84f8889ad9040cba57ad2a337f88d7a026d45

SHA512
a8341366bb1e3395e285a012266b53d9cfb9ba46a8991f475b35506bf640f1a2508f72253778539ed59bb589a887b2fb620717481a3edbd8c7d92be79d8911be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
f0ae0f46e9371cd56176a95907282623

SHA1
3ff54df89976ec740650c0a929787645baaa9b0f

SHA256
4eff24f92c01822032916c8db336480771e0082632066bc3113c55b0f7f79b9c

SHA512
0f04eef9450d7c5e8142949b6b8fbe57181e2f7f84e5ccc48b8d371569b90a030f2db25c2bc7803f09cf8ae98aa0f01a19e634fb0a87bc47d8b6a16cd400c9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
372KB

MD5
360b737e372be6a79e6256946203bb42

SHA1
e8d393c9a6020e02909cf36877b97b4fd4252211

SHA256
7dbc4ec6bb3680ecc7765928aef275a1badf1920fa1b5abcd375b6d60cb19874

SHA512
c211c99aacac2967853c1b514489e8fb21e2acdee80cdfe0d7f49b3478a1cf98e7f4828feee21a3bec4aafc3b445bd9b5a1b7d2eaf71344f2f1d90224e00c0eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
1c390f18e0bf26885e0ebb5165ae98e6

SHA1
a762f4df38970b24265c1904425bba51929185e6

SHA256
8120d519df75bf4f67fad8fadd4419bc484b5ce420d4dd3f7ff5182684e45f80

SHA512
381f73eaf96d05536af5a234b0066dc21166158ee36c1077294a55263cfb5cc6033c9bc74d821940cd141c2f20ededd71800d9e3e7d76693a57393677f074c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
1470de433abf5e334bc26470de8c2a46

SHA1
6eafb42f3b857e5ae41cfb54100dbea19a67d802

SHA256
6ceea400e5b0234cd53da7bfcae996a546a91e441a4df64a74a2580ea67de1dd

SHA512
9f03eb9a6a1a2ee770e40c08ede2edba02426ca95ab9fa4331fe41fdad74f4d00d89035104189f5d4a2b3cc3a5a10444a12d51c4a60ebfa0b3c2b6a2f6efc6bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
7cdfcbbbd6db499a040fcb4cea61be11

SHA1
8504addabb2769566b80b69470c09c6863ef5904

SHA256
a186d60c3264ba1a5219860c65a532ca115624b23abb8b748f06db23b5d6a4d5

SHA512
f507a02a208ab23848847989fe6b895ca64836faabd9e0d56dd5f83f60216176d1120d4f49bcdc93cd53040c62e8a52718386f3109f2e791752323a3bab87083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
c76756d080929e96f7f3ccbda1b3e4be

SHA1
18f7012e71f2127f9bdb77373c4ef40f4bbae435

SHA256
cdcb7c2ebd09700987a00e831af1fd7df57a36ab68bad7bd4ebd3abb8e7e9398

SHA512
358615b1b59d25df267652fed790e0102d46d9ada5e65bea681ef550dbb63afd95b9d49b09862f75bbda9222d8c0562dcc80ee37aceeffccf14e674875e18ad9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
438B

MD5
ea3eb315e0473ef570921d62755cb385

SHA1
027e8f1108150ab4cd8cd922abec528ec0c525e0

SHA256
4a00007afe74b621e6eac149a6388b32b510287350e4477af7a6e68ef9e38f5b

SHA512
29fdcbb6d38857222f0b244644393603a6ae3b475ecd221c0c63ce6ba6241d2b78e4abc1d3e7ffe781fa059df997349e82cb3e00f2d9632911bae28cd517d558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f74972b5b678c34c74384efbc79e3dab

SHA1
98b7e88b184d00a107b8179d097bb5dcbbf4b169

SHA256
162ffceed9e0cba00edb2b26c28b995a58cc6e3cc8500c3c1229768d6b83dad8

SHA512
e49036b56d7aead3aee1796ebf27ab311e53c19a8218f78c748680b58b503fa4ac26ba0639e3b2787a25eb33811089a675092cc6dd2b65877fa5355290d13409

Download Submit
memory/3884-12-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-58-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-13-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-14-0x00007FFB74FB0000-0x00007FFB74FC0000-memory.dmp

Filesize
64KB

Download
memory/3884-15-0x00007FFB74FB0000-0x00007FFB74FC0000-memory.dmp

Filesize
64KB

Download
memory/3884-16-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-19-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-18-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-17-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-31-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-32-0x00007FFBB77CD000-0x00007FFBB77CE000-memory.dmp

Filesize
4KB

Download
memory/3884-33-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-0-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/3884-39-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-64-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-5-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-186-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-11-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-8-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-65-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-9-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-10-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-7-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/3884-4-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/3884-177-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/3884-3-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/3884-2-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/3884-1-0x00007FFBB77CD000-0x00007FFBB77CE000-memory.dmp

Filesize
4KB

Download
memory/3884-6-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/4692-70-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/4692-121-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/4692-122-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/4692-123-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/4692-124-0x00007FFB777B0000-0x00007FFB777C0000-memory.dmp

Filesize
64KB

Download
memory/4692-125-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download
memory/4692-72-0x00007FFBB7730000-0x00007FFBB7925000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads