Analysis Overview
SHA256
4bcd7342dcbd048d14c7eadb7c42a467895ffacd5ebd8af69e9643d1866b3217
Threat Level: Likely malicious
The file 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Suspicious Office macro
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 07:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 07:50
Reported
2024-03-28 07:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\lettera\prog\ini.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\lettera\prog\ini.bat" HIDE-BOSS
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\lettera\prog\RunVBS.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\lettera\prog\ini.bat" BOSS"
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v TaskbarGlomLevel /t REG_DWORD /d 2 /f
Network
Files
C:\lettera\prog\ini.bat
| MD5 | d9806cc5878f4c4df79094a771a57991 |
| SHA1 | 635a7d4af9b43054b750e04ecdf14f17ec2b218f |
| SHA256 | 5cd72ab78086b4980871f5a5208909ee18e88498d28d7878d27a24d932536db0 |
| SHA512 | e051654a48dd1040d85aefc316f3c2a5e949600199f93e915e79cf874e2c2ea18062293678eeef85ceb69a25ca73f3ca617e94246893d09bc8f14b1edea64a6d |
C:\lettera\prog\RunVBS.vbs
| MD5 | 6ba5f2c66500f7c255886fc8fe1024ce |
| SHA1 | 0b74e63957018f065e77c91ee1ca838480534e17 |
| SHA256 | fbfe882314562a3b734d59112b139e70ddd4ae91ef6292032b251ff368fa475d |
| SHA512 | d594cf7dd31e46ea5e6c39d34c2e4b6e1241ef665367178346aaceafa073b379d0058c45e922ae12006ed8e4a72cae64ccde1f90fe228cc6ff7abccc552849b9 |
\??\c:\lettera\prog\LETTRIBRS.xlsm
| MD5 | 880d94d79321d0ac19540779ec386f91 |
| SHA1 | 28518b27e583cef182a77014c8b4becdccd558de |
| SHA256 | 293011f58b23fb22fd5b568e34593ea5712870616b0e60b1c0be2dac3c788566 |
| SHA512 | b6e461f9f3c0eb4e0282ee4f220197ba416c3793b9dffe42c4c5c86b8231adabc5bddda9d1267e57150b25b046e3faa4e7a0d81cedf0278a64c09b45aa55e939 |
\??\c:\lettera\prog\LETTRIBRS.exe
| MD5 | 936ae0760d92e80cbd5aef52950219f8 |
| SHA1 | 048f390894bd63abdc2a9984c03818b55510ca5c |
| SHA256 | 747b3d3db26b9c9dbc05f60f786fb8a7fa14526e8be110b95cf7fb13807c1e2d |
| SHA512 | 449b4a4b470469eb0a88ad4ed5127be9fb9c34a4c0075e2298b5580a601f30166f17ada7842aa77c1b413c942b5563c9668cb258ca7b9d9cac805399be18f729 |
memory/1948-35-0x0000000000400000-0x0000000000443000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 07:50
Reported
2024-03-28 07:53
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\lettera\prog\ini.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\lettera\prog\ini.bat" HIDE-BOSS
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\lettera\prog\RunVBS.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\lettera\prog\ini.bat" BOSS"
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v TaskbarGlomLevel /t REG_DWORD /d 2 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\lettera\prog\ini.bat
| MD5 | d9806cc5878f4c4df79094a771a57991 |
| SHA1 | 635a7d4af9b43054b750e04ecdf14f17ec2b218f |
| SHA256 | 5cd72ab78086b4980871f5a5208909ee18e88498d28d7878d27a24d932536db0 |
| SHA512 | e051654a48dd1040d85aefc316f3c2a5e949600199f93e915e79cf874e2c2ea18062293678eeef85ceb69a25ca73f3ca617e94246893d09bc8f14b1edea64a6d |
C:\lettera\prog\RunVBS.vbs
| MD5 | 6ba5f2c66500f7c255886fc8fe1024ce |
| SHA1 | 0b74e63957018f065e77c91ee1ca838480534e17 |
| SHA256 | fbfe882314562a3b734d59112b139e70ddd4ae91ef6292032b251ff368fa475d |
| SHA512 | d594cf7dd31e46ea5e6c39d34c2e4b6e1241ef665367178346aaceafa073b379d0058c45e922ae12006ed8e4a72cae64ccde1f90fe228cc6ff7abccc552849b9 |
memory/1584-14-0x0000000000400000-0x0000000000443000-memory.dmp
\??\c:\lettera\prog\LETTRIBRS.exe
| MD5 | 936ae0760d92e80cbd5aef52950219f8 |
| SHA1 | 048f390894bd63abdc2a9984c03818b55510ca5c |
| SHA256 | 747b3d3db26b9c9dbc05f60f786fb8a7fa14526e8be110b95cf7fb13807c1e2d |
| SHA512 | 449b4a4b470469eb0a88ad4ed5127be9fb9c34a4c0075e2298b5580a601f30166f17ada7842aa77c1b413c942b5563c9668cb258ca7b9d9cac805399be18f729 |
\??\c:\lettera\prog\LETTRIBRS.xlsm
| MD5 | 880d94d79321d0ac19540779ec386f91 |
| SHA1 | 28518b27e583cef182a77014c8b4becdccd558de |
| SHA256 | 293011f58b23fb22fd5b568e34593ea5712870616b0e60b1c0be2dac3c788566 |
| SHA512 | b6e461f9f3c0eb4e0282ee4f220197ba416c3793b9dffe42c4c5c86b8231adabc5bddda9d1267e57150b25b046e3faa4e7a0d81cedf0278a64c09b45aa55e939 |