Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 06:18
Behavioral task
behavioral1
Sample
cede243ccb2a1fb81284aa31eb65f126_JaffaCakes118.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cede243ccb2a1fb81284aa31eb65f126_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
cede243ccb2a1fb81284aa31eb65f126_JaffaCakes118.xls
-
Size
165KB
-
MD5
cede243ccb2a1fb81284aa31eb65f126
-
SHA1
d27cff39992cdbe0402fcfd80f5ad297cd95ec53
-
SHA256
31caa6f66af8581cd7592d9b0e847127bfb2d28575b188ed178b36c3a7435693
-
SHA512
2ee7987429cb24d5489c40f655153f69f77b25dbde828c704e93475d512253fdbc1f2f5fd232ad0b8a56308264f965514629d2e524fd452d179244c27fb04615
-
SSDEEP
3072:XScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMH:CcKoSsxzNDZLDZjlbR868O8KlVH3jiKS
Malware Config
Extracted
http://artifkt.com/okmobi/certificate.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2832 2424 rundll32.exe EXCEL.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXErundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2424 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe PID 2424 wrote to memory of 2832 2424 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cede243ccb2a1fb81284aa31eb65f126_JaffaCakes118.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\NDks.freas,DllRegisterServer2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2832