Overview

overview

10

Static

static

8

2c33f60b6a...18.xls

windows7-x64

10

2c33f60b6a...18.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c33f60b6aa04bb639eb017f404917f2_JaffaCakes118.xls

  • Size

    26KB

  • MD5

    2c33f60b6aa04bb639eb017f404917f2

  • SHA1

    8b917200f4b036ae52e3c27fdd50ac45a7c026a5

  • SHA256

    1f7f7a4099d24b5a096f99a4059d3ebcc22c7a4bf9634aafdbdd89d85a2554c2

  • SHA512

    2a8dff65c8ddfd1015b9d89869e28b23ad14a8e2f52581de14f7c412e071da87fcd14e5f0ead30b9c32ec1203e65b72e073dca186a93c84a0797587cc19d2183

  • SSDEEP

    384:xpJoEQj8O4JeAxplaulAXaPnqJpajz5O4fm0Ni:fJoEQj8DeAxplauqXaPnum4G3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2c33f60b6aa04bb639eb017f404917f2_JaffaCakes118.xls
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s c:\hybrid.reg
      2⤵
      • Process spawned unexpected child process
      • Runs .reg file with regedit
      PID:1548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\hybrid.reg
    Filesize

    200B

    MD5

    83349a6ed806ffbd2008115ad69e2127

    SHA1

    3c7ca3b6a216e4cd65c5af0f8d9f0da46ac3bc40

    SHA256

    d82801bd09c143dd9632962955bd20064e2b98599a76bbe041411ba39a7b4e2b

    SHA512

    11d14bedfdd4b5818b4e51220a5b062c26c2c1ae7fbfb06be26928d6104dab771e0d2407a8d301505df86f717c9dc45d51302f4ccd4ebdf2456053afe62be6a9

    Download Submit

  • memory/308-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/308-1-0x0000000071EED000-0x0000000071EF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/308-3-0x0000000071EED000-0x0000000071EF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/308-5-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/308-4-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/308-6-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/308-24-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/308-25-0x0000000071EED000-0x0000000071EF8000-memory.dmp

    Filesize

    44KB

    Download