59d616655b03443df157ddd98fe5781f9cf2e95181765ed85a1dbac0bd473cbb

Analysis

max time kernel
104s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9e47a652884094691905a8ebc39ccdd3.xls
Size

113KB
MD5

9e47a652884094691905a8ebc39ccdd3
SHA1

17b5b39402aabbdc86e8d14632f9a1fab00ad15f
SHA256

59d616655b03443df157ddd98fe5781f9cf2e95181765ed85a1dbac0bd473cbb
SHA512

cab17582c9eac6c1a745dd24f5c50c1a66b497b882e332abf3cd733a360d4003c8912a7e8c05dd14128becd6d5259b213c789f738e51a01184e32751e0d13079
SSDEEP

3072:0nbm7ZWxrg75BqFKNc2jcc0lbxOKAx2AJtXwKK:0nbGs2

Score

10^/10

defense_evasion macro xlm

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4876	1080	cmd.exe	87
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4864	1080	cmd.exe	87
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4872	1080	cmd.exe	87

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x0007000000022b53-101.dat	office_xlm_macros

Deletes itself 1 IoCs

pid	Process
1080	EXCEL.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7E575E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1080	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE
1080	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4872	1080	EXCEL.EXE	92
PID 1080 wrote to memory of 4872	1080	EXCEL.EXE	92
PID 1080 wrote to memory of 4864	1080	EXCEL.EXE	93
PID 1080 wrote to memory of 4864	1080	EXCEL.EXE	93
PID 1080 wrote to memory of 4876	1080	EXCEL.EXE	94
PID 1080 wrote to memory of 4876	1080	EXCEL.EXE	94
PID 4872 wrote to memory of 6136	4872	cmd.exe	98
PID 4872 wrote to memory of 6136	4872	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6136	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e47a652884094691905a8ebc39ccdd3.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e47a652884094691905a8ebc39ccdd3.xls

Filesize
153KB

MD5
9b82f4c921d15ad4026b1710b48da88b

SHA1
4360a8a05b78bc37ea4e76edf93b532b7c5a4f61

SHA256
d46b0d0721873b1074642bcca9fbb03bc5d7d584065790dc528b282cd2d9a7aa

SHA512
1c4733474c32811ac9af26329440184a2acb3a8c48beaba28fc223d49620e7425d2ea7f5042e6e12f4896939626fdce43751473cb8f6f66fb474734dcf37c006

Download Submit
memory/1080-16-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-2-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-3-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-4-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-5-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-10-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-9-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-8-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-11-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-7-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-12-0x00007FFA881B0000-0x00007FFA881C0000-memory.dmp

Filesize
64KB

Download
memory/1080-6-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-13-0x00007FFA881B0000-0x00007FFA881C0000-memory.dmp

Filesize
64KB

Download
memory/1080-14-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-15-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-18-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-20-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-22-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-21-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-19-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-50-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-17-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-0-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-51-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-52-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-49-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-48-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-53-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-55-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-54-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-68-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-1-0x00007FFACAA2D000-0x00007FFACAA2E000-memory.dmp

Filesize
4KB

Download
memory/1080-112-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-113-0x00007FFACAA2D000-0x00007FFACAA2E000-memory.dmp

Filesize
4KB

Download
memory/1080-114-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-115-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-116-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-117-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-118-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download
memory/1080-137-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-138-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-140-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-139-0x00007FFA8AA10000-0x00007FFA8AA20000-memory.dmp

Filesize
64KB

Download
memory/1080-141-0x00007FFACA990000-0x00007FFACAB85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads