4637494b847ad3706fa12a547033c7b204d9e2dcc8bd27c084550cf4a1a55f05

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3067d881eb56115f8ff1200a328645be_JaffaCakes118.xls
Size

24KB
MD5

3067d881eb56115f8ff1200a328645be
SHA1

1025a9c6ab029d401ad643513f78bafd26145c22
SHA256

4637494b847ad3706fa12a547033c7b204d9e2dcc8bd27c084550cf4a1a55f05
SHA512

b3464e324228edf106dd62c1fc085a6fbf8054946e1decf3810624678f1ce3cc1485376545421071dce0caa939f7d0aa72f9537dd0c4c5e99f9c86f196088ae8
SSDEEP

768:pyJJJAdFX/615hTVR2ANxCyG6GSlM2zr:oJJJAdFX/615hT9PCuJzr

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2340	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2340	EXCEL.EXE
2340	EXCEL.EXE
2340	EXCEL.EXE
2340	EXCEL.EXE
2340	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3067d881eb56115f8ff1200a328645be_JaffaCakes118.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VB96E5.tmp

Filesize
1KB

MD5
f1b5d31534bce7d254c5003028001797

SHA1
577cf0f83d02a664fe4449a7a62395579afbbcf6

SHA256
e6a229d514a3aa019ed5f879ca1c27969d09c636d3d703469abe1e71562a732b

SHA512
2ae8cfdf87939d562c83d5490a68891297102f4178d510e5d00a64d5afc19ca53326d11e5cd01da581fc6559f1b26e674eb5368c79b45bb9e9d426f62ddb67dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
7KB

MD5
780167913fdf2d0d785fbe7b6f138c62

SHA1
70d49afec9f61d2e1f298429682e63fb107d177a

SHA256
babc6fe237f31b8e42f302a7b260cd899766a89d6c02074ab551a4240fd7a7f3

SHA512
0efbf25864f7c62790ddf96c476d7ad8037aca8c6d2b6f8031e5cb7fbff5f021cdc82c1abfad2f696d9c2cd68ec18ebd70f8786f0502f8bc8c5ecf7fbce6b841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
7KB

MD5
2f8e0fefe4dca53442bb90c896c35181

SHA1
94a1c8e0110f3272b94ec61f9195964fab80817a

SHA256
754b7345ee4ac18793b717146b39600fabb7bbe11c5d18f0c1ca060e8deda44d

SHA512
5533ebda36908eb4fa361bf10cbba3cd98185f067b4afe3c7e34c47d47e6be3abdfdb2b276194857e63133817a08a6b31dafbc4a9997642485018e929364f3e7

Download Submit
memory/2340-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2340-1-0x0000000071E4D000-0x0000000071E58000-memory.dmp

Filesize
44KB

Download
memory/2340-8-0x00000000062D0000-0x00000000063D0000-memory.dmp

Filesize
1024KB

Download
memory/2340-51-0x0000000071E4D000-0x0000000071E58000-memory.dmp

Filesize
44KB

Download
memory/2340-52-0x00000000062D0000-0x00000000063D0000-memory.dmp

Filesize
1024KB

Download