59cd4a1e5c39e6778cbe2eb9aa9a465d8ac2aef7ea3b06b094144332bac7a10d

Analysis

max time kernel
102s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9992abb2fbee6cf347a0c4303d5a92cb.xls
Size

83KB
MD5

9992abb2fbee6cf347a0c4303d5a92cb
SHA1

36d9dc94b5db5f9606a7bb5fae0357687723b510
SHA256

59cd4a1e5c39e6778cbe2eb9aa9a465d8ac2aef7ea3b06b094144332bac7a10d
SHA512

c2c9363007a37e1af4a15a4bd7a65870ef01caae85158a17455c4f2e85858c46bf3b4d73d0362c933b486627e8864b73edd80857b623dfd240e6c5b6170fe65d
SSDEEP

1536:s+xxxxZRiIa8l2jcc0lbxOvTgZZM88ScJtXwKIU:F2jcc0lbxOrjjhJtXw7U

Score

10^/10

defense_evasion macro xlm

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4188	3044	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	876	3044	cmd.exe	85
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1932	3044	cmd.exe	85

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000300000002309d-103.dat	office_xlm_macros

Deletes itself 1 IoCs

pid	Process
3044	EXCEL.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\DC975E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3044	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE
3044	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1932	3044	EXCEL.EXE	90
PID 3044 wrote to memory of 1932	3044	EXCEL.EXE	90
PID 3044 wrote to memory of 876	3044	EXCEL.EXE	91
PID 3044 wrote to memory of 876	3044	EXCEL.EXE	91
PID 3044 wrote to memory of 4188	3044	EXCEL.EXE	92
PID 3044 wrote to memory of 4188	3044	EXCEL.EXE	92
PID 1932 wrote to memory of 3144	1932	cmd.exe	97
PID 1932 wrote to memory of 3144	1932	cmd.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3144	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9992abb2fbee6cf347a0c4303d5a92cb.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9992abb2fbee6cf347a0c4303d5a92cb.xls

Filesize
119KB

MD5
2510ca9b1749727f98040f0672459ea0

SHA1
08aa00b57edc6d566cef881664df097008f1336a

SHA256
2cb9ad8285b4f62a41caf2e160f10d6e3487d5b4bd3f8b0fa598ba05539b01ef

SHA512
42920c654f3f08ea2c87bf97a1859f9da0c2aee98b1c4f4a7f8fcb5288814be83b5615c0f9d61bcd5373e5d0c9c56e0188699fedffc2885a6317a7f647a13dfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
16ee8e4cc7ef256bbde969831568eb36

SHA1
7266ee7814f41da1a51a29bc675f4aa572a29164

SHA256
9b0a0eec0ac6de7dabfaf26dee80a734246ade909bcf47a6ea152a0011fd7272

SHA512
b964b61d7e3a7b59a5f8b80ab4712957a91270fb394d9969ce5890b085b976108f18318797f562754ea5cf0494cbeb8f41426486bfa3be8fea1fda42d0c8fd08

Download Submit
memory/3044-49-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-55-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-4-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-8-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-7-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-6-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-5-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-9-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-10-0x00007FF811730000-0x00007FF811740000-memory.dmp

Filesize
64KB

Download
memory/3044-11-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-14-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-13-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-18-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-19-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-17-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-16-0x00007FF811730000-0x00007FF811740000-memory.dmp

Filesize
64KB

Download
memory/3044-15-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-58-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-39-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-47-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-2-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-0-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-12-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-59-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-60-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-72-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-3-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-106-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-105-0x00007FF8537AD000-0x00007FF8537AE000-memory.dmp

Filesize
4KB

Download
memory/3044-107-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-108-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-109-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-110-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-111-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-112-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-113-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-114-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download
memory/3044-1-0x00007FF8537AD000-0x00007FF8537AE000-memory.dmp

Filesize
4KB

Download
memory/3044-136-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-137-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-139-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-138-0x00007FF813790000-0x00007FF8137A0000-memory.dmp

Filesize
64KB

Download
memory/3044-140-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads