Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 18:04
Behavioral task
behavioral1
Sample
d288b202843f8a0778e99eb62a0110cf_JaffaCakes118.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d288b202843f8a0778e99eb62a0110cf_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
d288b202843f8a0778e99eb62a0110cf_JaffaCakes118.xls
-
Size
165KB
-
MD5
d288b202843f8a0778e99eb62a0110cf
-
SHA1
c196b685ad86e18effb7cd048e4e4530e0fddfdd
-
SHA256
d10890283b9504c4ec3a38952fe067d709905a8299ca47225fb8612158c0b76b
-
SHA512
0ab682fce21e70bf8c4c884fa06dddaa66222516b5615721ece2e542c2217c4115564aad0abc33097c8a0fcae5797047ec06bf653eea495f03d2eb2a7c85807f
-
SSDEEP
3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUM3:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKy
Malware Config
Extracted
http://www.chipmania.it/mails/open.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1312 2236 rundll32.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2236 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE 2236 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2236 wrote to memory of 1312 2236 EXCEL.EXE rundll32.exe PID 2236 wrote to memory of 1312 2236 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d288b202843f8a0778e99eb62a0110cf_JaffaCakes118.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\BASE.BABAA,DllRegisterServer2⤵
- Process spawned unexpected child process
PID:1312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize4KB
MD5054b7f6d66b8b9650efd748e7946addf
SHA1a620ff28a335a7055a33cee95cd80f2ac45f62a2
SHA256e5c56ada2447cb37b6baabc4aa0a15cd23a9af210ec76b78c2cffb74cee8741c
SHA5126d1d8679171fe2b059c390e9d5dca78d751bcb61abbd490ce5ee81f520285bbf121470b4b78b4c9d1f81406750fdfa63564a4aee6b5fa346f6cdd189aa0c0a5b