0c24602274c0afda05197250336fbecd64a2afef887a39f3a714acf727e28c52

General

Target

ed1d2ec94052a01a82dc41386c67fa95_JaffaCakes118.xls
Size

58KB
MD5

ed1d2ec94052a01a82dc41386c67fa95
SHA1

26b80c542713e53d2258ea3b271c4c9a3e1e1147
SHA256

0c24602274c0afda05197250336fbecd64a2afef887a39f3a714acf727e28c52
SHA512

90a3a7eae17f5c0d8d37ffcc408f1790b6e08bda43b51fb0491f35ab03627f9ac6ceb43b6db5ffe8363eccb83f027aecff587a76427889008d3f265e070e330c
SSDEEP

1536:Oihz0DewjEXWfCDIM/V5xtezEsi8OUM+tfNaIZEpqpXouv:Oihz0DewjEXWfCDIM/V5xtezEsi8OUMu

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.psicheaurora.it/fanta/download.php

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4360	3720	rundll32.exe	81

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3720	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4360	3720	EXCEL.EXE	83
PID 3720 wrote to memory of 4360	3720	EXCEL.EXE	83

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ed1d2ec94052a01a82dc41386c67fa95_JaffaCakes118.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\Joret.fffooo,DllRegisterServer1
  2⤵
  - Process spawned unexpected child process
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
b477c50150d222eb76ce96d7a5dc3b3b

SHA1
212b4222ad4cb1e98327017d29f09b2503dd505f

SHA256
ed6c60741e9d71b79ea2d5e82e59c8c67a1dda57735b1ed2c66465a7682008c7

SHA512
dede98abf6ca13d56bfd8fff18fd9f9dc56a8c9a893807af09b0e3240a7576d0df944e89c0b4bc9a3bbd1e1bc35a4e26a4052a7c836582fc40d8c3e4e59a488c

Download Submit
C:\Users\Admin\Joret.fffooo

Filesize
7KB

MD5
26ac240c07fd7989aef333c4ae18234f

SHA1
fcff627a9a8ea69a7ce71869c6f776436e4a6cfd

SHA256
debb0cdc2ad455bdf2ded4555528d198d7260bd2d7eeadc2523eb485675c5a30

SHA512
188f5058de2edd697109d5690acf8b92bb2e0b56d0a7eaa055c57dbcb4cfc1933e19e1c2969ccab0285fcb30075bb26ee95a89846215e3fe1d86a9cee8ee6379

Download Submit
memory/3720-9-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-13-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-5-0x00007FFA71B70000-0x00007FFA71B80000-memory.dmp

Filesize
64KB

Download
memory/3720-1-0x00007FFA71B70000-0x00007FFA71B80000-memory.dmp

Filesize
64KB

Download
memory/3720-7-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-8-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-6-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-10-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-0-0x00007FFA71B70000-0x00007FFA71B80000-memory.dmp

Filesize
64KB

Download
memory/3720-12-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-11-0x00007FFA6F8B0000-0x00007FFA6F8C0000-memory.dmp

Filesize
64KB

Download
memory/3720-4-0x00007FFA71B70000-0x00007FFA71B80000-memory.dmp

Filesize
64KB

Download
memory/3720-15-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-17-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-19-0x00007FFA6F8B0000-0x00007FFA6F8C0000-memory.dmp

Filesize
64KB

Download
memory/3720-18-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-16-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-14-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-2-0x00007FFA71B70000-0x00007FFA71B80000-memory.dmp

Filesize
64KB

Download
memory/3720-31-0x00007FFAB1AF0000-0x00007FFAB1CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3720-3-0x00007FFAB1B8D000-0x00007FFAB1B8E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads