74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a

General

Target

ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls
Size

165KB
MD5

ad9550ee6ece8322501ed92d374d3928
SHA1

d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
SHA256

74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a
SHA512

531ab2de644449e17e4f6d4a708f98a89bd6ac972b0bc6ed6b725205e5a0412ef6b0dfa9bdb422f6732c5396b8d0c82783c88c3727496488c71cb960b25d2f0b
SSDEEP

3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMj:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK+

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.chipmania.it/mails/open.php

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1184	3104	rundll32.exe	90

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3104	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE
3104	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 1184	3104	EXCEL.EXE	105
PID 3104 wrote to memory of 1184	3104	EXCEL.EXE	105

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad9550ee6ece8322501ed92d374d3928_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\BASE.BABAA,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1000 /prefetch:8
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
22546e713beb7a4a61c420a3dc2fda22

SHA1
e8ff39a55a88a015a28056a891aa9a32e1a26cb9

SHA256
9d9fa422220c18b0f6d9bb5474a7b93a6dfbf8f34e4974b43325dfc5f0e08652

SHA512
ba40e4ee4dabfb7df9a7d3f0d326db6f1f78e69cc9f238502e820c9ea5c020c10995b8a13288f29a065094eeca5ea080998957900659514082363e8e1def3e1e

Download Submit
memory/3104-13-0x00007FFB991A0000-0x00007FFB991B0000-memory.dmp

Filesize
64KB

Download
memory/3104-15-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-9-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-11-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-10-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-8-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-12-0x00007FFB991A0000-0x00007FFB991B0000-memory.dmp

Filesize
64KB

Download
memory/3104-7-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-2-0x00007FFB9B830000-0x00007FFB9B840000-memory.dmp

Filesize
64KB

Download
memory/3104-18-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-6-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-14-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-5-0x00007FFB9B830000-0x00007FFB9B840000-memory.dmp

Filesize
64KB

Download
memory/3104-17-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-19-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-16-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-0-0x00007FFB9B830000-0x00007FFB9B840000-memory.dmp

Filesize
64KB

Download
memory/3104-3-0x00007FFB9B830000-0x00007FFB9B840000-memory.dmp

Filesize
64KB

Download
memory/3104-1-0x00007FFBDB84D000-0x00007FFBDB84E000-memory.dmp

Filesize
4KB

Download
memory/3104-29-0x00007FFBDB7B0000-0x00007FFBDB9A5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-30-0x00007FFBDB84D000-0x00007FFBDB84E000-memory.dmp

Filesize
4KB

Download
memory/3104-4-0x00007FFB9B830000-0x00007FFB9B840000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads