Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 02:41
Behavioral task
behavioral1
Sample
ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls
-
Size
165KB
-
MD5
ad9550ee6ece8322501ed92d374d3928
-
SHA1
d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
-
SHA256
74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a
-
SHA512
531ab2de644449e17e4f6d4a708f98a89bd6ac972b0bc6ed6b725205e5a0412ef6b0dfa9bdb422f6732c5396b8d0c82783c88c3727496488c71cb960b25d2f0b
-
SSDEEP
3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMj:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK+
Malware Config
Extracted
http://www.chipmania.it/mails/open.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1184 3104 rundll32.exe 90 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3104 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE 3104 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3104 wrote to memory of 1184 3104 EXCEL.EXE 105 PID 3104 wrote to memory of 1184 3104 EXCEL.EXE 105
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\BASE.BABAA,DllRegisterServer2⤵
- Process spawned unexpected child process
PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1000 /prefetch:81⤵PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD522546e713beb7a4a61c420a3dc2fda22
SHA1e8ff39a55a88a015a28056a891aa9a32e1a26cb9
SHA2569d9fa422220c18b0f6d9bb5474a7b93a6dfbf8f34e4974b43325dfc5f0e08652
SHA512ba40e4ee4dabfb7df9a7d3f0d326db6f1f78e69cc9f238502e820c9ea5c020c10995b8a13288f29a065094eeca5ea080998957900659514082363e8e1def3e1e