Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 10:02
Behavioral task
behavioral1
Sample
d6178e66b2e106d41b80f0a65648193f_JaffaCakes118.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6178e66b2e106d41b80f0a65648193f_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
d6178e66b2e106d41b80f0a65648193f_JaffaCakes118.xls
-
Size
234KB
-
MD5
d6178e66b2e106d41b80f0a65648193f
-
SHA1
bd63130e0f98474237cf2f0dc75c72df540b0f35
-
SHA256
3a26d714db6bcc160be992c7640243c245122f43747c7a3843a81f2e9c3803d2
-
SHA512
b45ab685b6e6e715f45513aab19afdfd81c09f47a241ca19b91cea920535b2fd9d24d5963f7cd90c16e4a468934a7c536771b0bdc31c73c66101c4c468f6cfe6
-
SSDEEP
6144:Sk3hOdsylKlgxopeiBNhZF+E+W2kdAQFD+UAnvfrrfKQATdevW9BW7K:coT5
Malware Config
Extracted
https://jumper.rocks/wp-index.php
https://jumper.yoga/wp-index.php
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2728 2016 explorer.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2652 2016 rundll32.exe EXCEL.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEexplorer.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2016 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 2016 EXCEL.EXE 2016 EXCEL.EXE 2016 EXCEL.EXE 2016 EXCEL.EXE 2016 EXCEL.EXE 2016 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 2016 wrote to memory of 2728 2016 EXCEL.EXE explorer.exe PID 2016 wrote to memory of 2728 2016 EXCEL.EXE explorer.exe PID 2016 wrote to memory of 2728 2016 EXCEL.EXE explorer.exe PID 2016 wrote to memory of 2728 2016 EXCEL.EXE explorer.exe PID 2168 wrote to memory of 2660 2168 explorer.exe WScript.exe PID 2168 wrote to memory of 2660 2168 explorer.exe WScript.exe PID 2168 wrote to memory of 2660 2168 explorer.exe WScript.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe PID 2016 wrote to memory of 2652 2016 EXCEL.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d6178e66b2e106d41b80f0a65648193f_JaffaCakes118.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\Q7ye.vbs2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\o3N21.html,DllRegisterServer2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2652
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Q7ye.vbs"2⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331B
MD527f46f90268086c258903e9af643001d
SHA1a2d036ba27a81d328f4de6a2ee4a4a4dee1115d9
SHA2569ca99919766876553f88875343e2c01e1c43043906122a2dfdc1d06877fab111
SHA51271eb78fdbdab3fbd9a38a8ee8b89935c40cd371265edbfe60f562beccfc40d35bf87c9b0478d64a27b0aecdf11cd70e064301c018191f31718dfdbf66d39a72c
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237