397eaa900042c495467a7529b520ed6b9c32c5400646434cc7feb5101d13040a

Analysis

max time kernel
108s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_948b63bc6c5d9057e9cc9be87a6e8856.xls
Size

48KB
MD5

948b63bc6c5d9057e9cc9be87a6e8856
SHA1

506cd9b92131f183c447d6484918fb6cf83ec52c
SHA256

397eaa900042c495467a7529b520ed6b9c32c5400646434cc7feb5101d13040a
SHA512

bf5136137832034d758aa1074b6525645c77a0b7a06429c4d82648bc5824f847f72fffb9fd350ae7083d86d02303dd08fa1b09364d28e80e4f927b18a61c5102
SSDEEP

768:znne1BohnwHOjkc/62Bv8Ws5pucykKCEJb0y9x+MZyD0As8VqN:zeBopW0kcl8Ws5pZykLYyD0aq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4748	EXCEL.EXE
5868	WINWORD.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
4748	EXCEL.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
5868	WINWORD.EXE
808	POWERPNT.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948b63bc6c5d9057e9cc9be87a6e8856.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:808

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
5e9c6d7d1be68fe5c5ea1290ac28ff26

SHA1
66c9956d270adf74fbce28348a3143e543c5150c

SHA256
64c55f5ed65202954c5c4fe9bf1b5454a8f66971f48a867c24126a77ee010648

SHA512
59785ded1854ce5d71327f837a8c6cbd04f06cfad6ef9b98d768aebdfad72948fd2e95e19e531b7988f266dec904c3f53732f9f9e9ed9c45d66d16b496290745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
b6b2ea71a4506af8c6efac1e9d6e8a40

SHA1
367259c479910deb195ae8653dba30b7605f61a3

SHA256
20f0469d5aa60bdf2c6571950637cd5f0d2aba66171a0458226d16d6f9edb256

SHA512
ed4bc482d9aea0a6e28e0d82c32df7470339a33c7fb86a4660514d4919bb6f0c9487f923786c4e26a153a62ee61be8d089abd118ef8a6272dba62f0f7d1a26e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D609C36C-04EC-4957-AB49-63B99EF186D3

Filesize
178KB

MD5
651a30aabbcf058adfeaea37fb9c1b8e

SHA1
4888bd676a8fd60172f5e2c37db86906b0256c14

SHA256
460b178a344aee4ad6bec22df7c5d199429b32acdbac71ce3a6a2f1cc1964a64

SHA512
6876d4391971c76d273bbc0835db20653475b344be5e7adbff495b8a02e3feb16a68cc1597fc6c3ef9fca324cc10101cbf3f3623ca4a9c10067c601f87515e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
322KB

MD5
a84528752536bb705e7e32870f4cbddc

SHA1
5186a675497e9db51e4657cbf1f7babeb6d00e3a

SHA256
3af38373c95f1a17fa2cfc9f661de4cff4f6ef10e2c328794ce8c6de00487766

SHA512
8f7f837dba9e926d1c8605be6efeb34855cb1a9e018cf49d2bb93de328cc4e484b7374dfc3e2a1120800513ef154312c97bf24339a2422934e50c2eed3987ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
373KB

MD5
166bf113e99d91f130b4c44ecab3ad9c

SHA1
321dc36ddc79ca41c68c8b6570b7f4a3e5cc13bf

SHA256
16ae1581980be88fb412851a8c0ea2a2ab2002852c65c9e845d0fca7183239b3

SHA512
36c58c33202ad22e5668997261f7ce7fe8068593499ebfc8d4296288ab649ad7a6052a94c546577f57c7c08cf243aeecbf430a5b7b19efbd2ae38ec24ad39890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
7KB

MD5
88c688988dd8e0b513fba55ba60b023d

SHA1
cb856d5bbce8bcba5426ee7f2402f58f71a62693

SHA256
f3ccc155682037f28f0a9abffa32afcc92becdff77e257d1fa71f9a1f6edf77c

SHA512
693194e010c2c8e4244ee14cf2dbf1e33d349bbbb9dc879ed4e00a42bd81f5fce405ffa4808daa57784da882333cc4b54197c17e6d94a41d82e7f6b048beea03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
575be6ce1833de83629083f8e7af5251

SHA1
3d0b83bf1d4353607f6f03eb2203088d62d2d0ca

SHA256
6a08c43a0c316aa9d8ac0410fd309ed4899277dffa1c6b959688089d32118984

SHA512
58c1c38d29a80825404cf6e8acd8f3100ad7a7b327f96f29cb38797afd1c617d45a4b5c08c9ab6251141980f7eced7eb5bbb0fed4795b578be54abb8b7d17415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
b41d2aeca878e87fbdbd8e710e277f45

SHA1
fcaf568bef6952d2e6af976ee146ec8192451864

SHA256
eadf8b90de54c6f6cf8eb9cf611a2fcac113135dba29469c328fe2c51dd07f29

SHA512
824f27fe452ac7c2d628b047ba6ec3802d389204144fd4ead8ad94a4955b33ea3cd1938447af3e65a09a7e91e8abae3f3094f7721db76a29c0e8f31d3f957efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
b033f8d66bdf1c7811bc0dd25d414078

SHA1
b5d2a705b92ffb7fd0b8b3a9abdd2e415e8d3b60

SHA256
5da5782ca7ad055cfa36fa35235d1214538337715f98653c2257b725d935dd7e

SHA512
a4ddf60a73ff5924839fe7339117bfe0506b39978f8ba6ed33090ec9cf4f9f7f9b40b70f7036e82c65b3e391cf357baf89941e930086162b723aa80713f75a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
6f9c6253ac9315ecfcb75f0905a5c4b3

SHA1
a0a67c0f41b2c29348f33354ef1a1333bf2e572e

SHA256
99fce985c78f39122009809a03958c05c3ce863fbe70799a8b871b08b57ce1d5

SHA512
e0d70881c9c8617f37717509e53b61ebe63cd3e2a54e5335d2fd9c60f0aab3801203f553d5414dc96f25011a72ec752c61a768a528d4d40fdee5678e8dd8074d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
227B

MD5
2e7ed3d2a30cb3f895d71656485c9ce4

SHA1
1c96fe3685abd35d2d5bd20cb58f265a2b764f2a

SHA256
d36fdf0bb0dff925c31398a76e16d1c973ebb2ee04a1153d66264a299180c2fe

SHA512
3308589b1fbb032e10e4931c72aeb179f78a486695c85dc7645e2e9d795b23da23282c02aea9c8b4bc9191d4631a9a8f5af21c999b7cd025f9580b18224e45f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
260B

MD5
3b1921caa8675c8b81e5c77c51691da2

SHA1
809f4633033dbf8a2b4ab4518772548e5b9c7cb0

SHA256
20d9cbea16ed8cb621c58d0382dd56b10ee4c16a28c931fe2c10e839b9eb6459

SHA512
18c02adccde173abdeb07767d5d752d614c9fb8b4be68cc5b022de291024cf6a85ee883528e8caf1067e2249043b0945bf8e94696b4255d97a342147fbf029f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
43e7ef094afd3364a3db312642f014b5

SHA1
8364cc7bf20c9b7d7f4288884a891569f0121eac

SHA256
ca0e7ca66dfb933cc1544b6f6847e4c6da355996c3becc168ecb5373d865d089

SHA512
feebed55bc870b55544498e3a97c791ed73a114a33c53aa786cf678faa9fe326600cb32b69486581de74382a1d81bfe1f63136251a617d82c4d728ddbdfdbf8e

Download Submit
memory/4748-9-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-1-0x00007FF989B6D000-0x00007FF989B6E000-memory.dmp

Filesize
4KB

Download
memory/4748-15-0x00007FF947500000-0x00007FF947510000-memory.dmp

Filesize
64KB

Download
memory/4748-25-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-26-0x00007FF989B6D000-0x00007FF989B6E000-memory.dmp

Filesize
4KB

Download
memory/4748-27-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-28-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-39-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-190-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-13-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-14-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-12-0x00007FF947500000-0x00007FF947510000-memory.dmp

Filesize
64KB

Download
memory/4748-11-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-0-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/4748-10-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-7-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-8-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-6-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-3-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/4748-5-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/4748-4-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/4748-2-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/5868-60-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/5868-156-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/5868-157-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/5868-159-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/5868-158-0x00007FF949B50000-0x00007FF949B60000-memory.dmp

Filesize
64KB

Download
memory/5868-160-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download
memory/5868-59-0x00007FF989AD0000-0x00007FF989CC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads