Overview

overview

10

Static

static

8

d3ea4c6db1...18.xls

windows7-x64

10

d3ea4c6db1...18.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3ea4c6db1a11ff428c6cad9ef601adf_JaffaCakes118.xls

  • Size

    240KB

  • MD5

    d3ea4c6db1a11ff428c6cad9ef601adf

  • SHA1

    9f2f2ce96a313a22333fb7fca87ff6022a68d008

  • SHA256

    e5b3903d52e72c858dfbbdfce5da0ab3d5e9d1771ad213486fc8356928596281

  • SHA512

    18ef058c0f1c3e836bfafa23500a7bad53bc230590a11231d6ffc81c72642dfb5231bcf3912a0d9fa5d4390cd47d3cbaed3159f78e257da0d5be30b228e2036b

  • SSDEEP

    6144:ZKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgD9jWXcPZRBTq1BOzTwvOsPDDlAvS32vI78:A9jXzTmszTwvTD133LvfP1O3

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://onlineyogacourse.org/5hgP7n5nTC/a.html
xlm40.dropper

https://rabedc.com/msdcluV8y5nf/alf.html
xlm40.dropper

https://partiuvamosviajar.com/xYIJTUcGxvF1/alfo.html

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d3ea4c6db1a11ff428c6cad9ef601adf_JaffaCakes118.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
      2⤵
      • Process spawned unexpected child process
      PID:4260
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
      2⤵
      • Process spawned unexpected child process
      PID:1264
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
      2⤵
      • Process spawned unexpected child process
      PID:332
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
      PID:4260
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4560-0-0x00007FFE3AF50000-0x00007FFE3AF60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-1-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-2-0x00007FFE3AF50000-0x00007FFE3AF60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-4-0x00007FFE3AF50000-0x00007FFE3AF60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-5-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-6-0x00007FFE3AF50000-0x00007FFE3AF60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-3-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-7-0x00007FFE3AF50000-0x00007FFE3AF60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-8-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-10-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-11-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-9-0x00007FFE38CE0000-0x00007FFE38CF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-12-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-14-0x00007FFE38CE0000-0x00007FFE38CF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4560-16-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-15-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-13-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-17-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-18-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-19-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-20-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-21-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-22-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-23-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-41-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4560-42-0x00007FFE7AED0000-0x00007FFE7B0C5000-memory.dmp

        Filesize

        2.0MB

        Download