Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 18:49

General

  • Target

    JaffaCakes118_34c1b41e19977bea70e481344bb22997847eea00e35c04f36ed4a81f8556a8db.xls

  • Size

    2.7MB

  • MD5

    5a0d2e3b52fe4cf7d627c098d86f1557

  • SHA1

    011aade7c013edc076e0b8c75d07c6362b797a43

  • SHA256

    34c1b41e19977bea70e481344bb22997847eea00e35c04f36ed4a81f8556a8db

  • SHA512

    8f689adbc41821071eba45009d6ffdb7853bd8b55ce41a3716fc020ba95a75173b7bb88399cc894751108e180ae9eccf70c5a9e5c0eab85923192a871f6f7489

  • SSDEEP

    24576:PufOgVAsEaXNN693SGipBEYg5t4ATR9giW5YEk4tpJwBBmvRROTU8fvSTXZv:sb

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 59 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34c1b41e19977bea70e481344bb22997847eea00e35c04f36ed4a81f8556a8db.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4520
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\secure32.dll,#1
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\secure32.dll,#1
          3⤵
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\cmd.exe
            /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 19:52
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1136
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 19:52
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4088
          • C:\Users\Admin\AppData\Local\Temp\B083.tmp
            "C:\Users\Admin\AppData\Local\Temp\B083.tmp" \\.\pipe\{0FAB98DE-1A6C-4505-9A05-E490169957D3}
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4828

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.76.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.76.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      • flag-us
        DNS
        roaming.officeapps.live.com
        EXCEL.EXE
        Remote address:
        8.8.8.8:53
        Request
        roaming.officeapps.live.com
        IN A
        Response
        roaming.officeapps.live.com
        IN CNAME
        prod.roaming1.live.com.akadns.net
        prod.roaming1.live.com.akadns.net
        IN CNAME
        eur.roaming1.live.com.akadns.net
        eur.roaming1.live.com.akadns.net
        IN CNAME
        weu-azsc-000.roaming.officeapps.live.com
        weu-azsc-000.roaming.officeapps.live.com
        IN CNAME
        osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
        osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
        IN A
        52.109.89.19
      • flag-nl
        POST
        https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
        EXCEL.EXE
        Remote address:
        52.109.89.19:443
        Request
        POST /rs/RoamingSoapService.svc HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Pragma: no-cache
        Content-Type: text/xml; charset=utf-8
        User-Agent: MS-WebServices/1.0
        SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
        Content-Length: 511
        Host: roaming.officeapps.live.com
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Type: text/xml; charset=utf-8
        Server: Microsoft-IIS/10.0
        X-OfficeFE: RoamingFE_IN_79
        X-OfficeVersion: 16.0.18416.30575
        X-OfficeCluster: weu-000.roaming.officeapps.live.com
        Content-Security-Policy-Report-Only: script-src 'nonce-EsxMHDIM+JlHBYSu0iAMaI/MjCqxifk485eLUHSsvQVP89Wme8Gm18OOAIfDnUKTfQK1Eq5HhQQQ8wlm/eJdg3dZyxVgiAUWAlzDXe4Q2qeTq4ql4NglqGkR7enV+mKgjYGW8mZmSgUfqQML6O7LDW4yR6Lh1IgbYylINPrBtM4=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod
        X-CorrelationId: d0249475-3ed0-4256-a933-94e128b21cb9
        X-Powered-By: ASP.NET
        Date: Sat, 21 Dec 2024 18:49:28 GMT
        Content-Length: 654
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        19.89.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.89.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        68.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        68.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        170.253.116.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        170.253.116.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
        Response
        92.12.20.2.in-addr.arpa
        IN PTR
        a2-20-12-92deploystaticakamaitechnologiescom
      • flag-us
        DNS
        88.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.210.23.2.in-addr.arpa
        IN PTR
        Response
        88.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-88deploystaticakamaitechnologiescom
      • flag-us
        DNS
        23.236.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.236.111.52.in-addr.arpa
        IN PTR
        Response
      • 52.109.89.19:443
        https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
        tls, http
        EXCEL.EXE
        1.8kB
        8.2kB
        12
        11

        HTTP Request

        POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

        HTTP Response

        200
      • 52.109.76.240:445
        officeclient.microsoft.com
        260 B
        5
      • 10.127.0.1:445
        260 B
        5
      • 2.23.210.83:445
        ctldl.windowsupdate.com
        260 B
        5
      • 13.107.42.16:445
        config.edge.skype.com
        260 B
        5
      • 10.127.0.0:445
        rundll32.exe
      • 2.23.210.83:139
        ctldl.windowsupdate.com
        260 B
        5
      • 52.109.76.240:139
        officeclient.microsoft.com
        260 B
        5
      • 10.127.0.1:139
        260 B
        5
      • 13.107.42.16:139
        config.edge.skype.com
        260 B
        5
      • 10.127.0.0:139
        rundll32.exe
      • 10.127.0.1:445
        rundll32.exe
        104 B
        2
      • 10.127.0.1:139
        rundll32.exe
        104 B
        2
      • 10.127.0.2:445
        rundll32.exe
      • 10.127.0.2:139
        rundll32.exe
      • 10.127.0.3:445
        rundll32.exe
      • 10.127.0.3:139
        rundll32.exe
      • 10.127.0.4:445
        rundll32.exe
      • 10.127.0.4:139
        rundll32.exe
      • 10.127.0.5:445
        rundll32.exe
      • 20.190.159.68:445
        login.live.com
        260 B
        5
      • 49.12.169.207:445
        260 B
        5
      • 51.116.253.170:445
        self.events.data.microsoft.com
        260 B
        5
      • 10.127.0.5:139
        rundll32.exe
      • 20.190.159.68:139
        login.live.com
        260 B
        5
      • 49.12.169.207:139
        260 B
        5
      • 51.116.253.170:139
        self.events.data.microsoft.com
        260 B
        5
      • 10.127.0.6:445
        rundll32.exe
      • 10.127.0.6:139
        rundll32.exe
      • 10.127.0.7:445
        rundll32.exe
      • 10.127.0.7:139
        rundll32.exe
      • 10.127.0.8:445
        rundll32.exe
      • 10.127.0.8:139
        rundll32.exe
      • 10.127.0.9:445
        rundll32.exe
      • 10.127.0.9:139
        rundll32.exe
      • 10.127.0.10:445
        rundll32.exe
      • 10.127.0.10:139
        rundll32.exe
      • 10.127.0.11:445
        rundll32.exe
      • 10.127.0.11:139
        rundll32.exe
      • 10.127.0.12:445
        rundll32.exe
      • 10.127.0.12:139
        rundll32.exe
      • 10.127.0.13:445
        rundll32.exe
      • 10.127.0.13:139
        rundll32.exe
      • 10.127.0.14:445
        rundll32.exe
      • 10.127.0.14:139
        rundll32.exe
      • 10.127.0.15:445
        rundll32.exe
      • 10.127.0.15:139
        rundll32.exe
      • 10.127.0.16:445
        rundll32.exe
      • 10.127.0.16:139
        rundll32.exe
      • 10.127.0.17:445
        rundll32.exe
      • 10.127.0.17:139
        rundll32.exe
      • 10.127.0.18:445
        rundll32.exe
      • 10.127.0.18:139
        rundll32.exe
      • 10.127.0.19:445
        rundll32.exe
      • 10.127.0.19:139
        rundll32.exe
      • 10.127.0.20:445
        rundll32.exe
      • 10.127.0.20:139
        rundll32.exe
      • 10.127.0.21:445
        rundll32.exe
      • 10.127.0.21:139
        rundll32.exe
      • 10.127.0.22:445
        rundll32.exe
      • 10.127.0.22:139
        rundll32.exe
      • 10.127.0.23:445
        rundll32.exe
      • 10.127.0.23:139
        rundll32.exe
      • 10.127.0.24:445
        rundll32.exe
      • 10.127.0.24:139
        rundll32.exe
      • 10.127.0.25:445
        rundll32.exe
      • 10.127.0.25:139
        rundll32.exe
      • 10.127.0.26:445
        rundll32.exe
      • 10.127.0.26:139
        rundll32.exe
      • 10.127.0.27:445
        rundll32.exe
      • 10.127.0.27:139
        rundll32.exe
      • 10.127.0.28:445
        rundll32.exe
      • 10.127.0.28:139
        rundll32.exe
      • 10.127.0.29:445
        rundll32.exe
      • 10.127.0.29:139
        rundll32.exe
      • 10.127.0.30:445
        rundll32.exe
      • 10.127.0.30:139
        rundll32.exe
      • 10.127.0.31:445
        rundll32.exe
      • 10.127.0.31:139
        rundll32.exe
      • 10.127.0.32:445
        rundll32.exe
      • 10.127.0.32:139
        rundll32.exe
      • 10.127.0.33:445
        rundll32.exe
      • 10.127.0.33:139
        rundll32.exe
      • 10.127.0.34:445
        rundll32.exe
      • 10.127.0.34:139
        rundll32.exe
      • 10.127.0.35:445
        rundll32.exe
      • 10.127.0.35:139
        rundll32.exe
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        240.76.109.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        240.76.109.52.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        roaming.officeapps.live.com
        dns
        EXCEL.EXE
        73 B
        247 B
        1
        1

        DNS Request

        roaming.officeapps.live.com

        DNS Response

        52.109.89.19

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        19.89.109.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        19.89.109.52.in-addr.arpa

      • 8.8.8.8:53
        68.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        68.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        170.253.116.51.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        170.253.116.51.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        92.12.20.2.in-addr.arpa
        dns
        69 B
        131 B
        1
        1

        DNS Request

        92.12.20.2.in-addr.arpa

      • 8.8.8.8:53
        88.210.23.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        88.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        23.236.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        23.236.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\B083.tmp

        Filesize

        55KB

        MD5

        7e37ab34ecdcc3e77e24522ddfd4852d

        SHA1

        38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

        SHA256

        02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

        SHA512

        1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

      • C:\Users\Admin\AppData\Local\Temp\secure32.dll

        Filesize

        353KB

        MD5

        735b3416184b92e85386f87edd0722f6

        SHA1

        9def25157305d724a01900ac8949ef596e0bb1fb

        SHA256

        c69896a194fe4abc7eed31f718cf5e0406ef95ba1825ac998c4aa97f9764a8b4

        SHA512

        72733e46841b576b3298d34fef01d0b880626628e28d4641da8a9cadcad430848da5dc4504f81314a363b861a16dc22f1a30b5b2a125e6ab9da915f38eb054d6

      • memory/804-67-0x0000000002250000-0x00000000022AE000-memory.dmp

        Filesize

        376KB

      • memory/804-54-0x0000000002250000-0x00000000022AE000-memory.dmp

        Filesize

        376KB

      • memory/804-55-0x0000000002250000-0x00000000022AE000-memory.dmp

        Filesize

        376KB

      • memory/804-53-0x0000000002250000-0x00000000022AE000-memory.dmp

        Filesize

        376KB

      • memory/804-45-0x0000000002250000-0x00000000022AE000-memory.dmp

        Filesize

        376KB

      • memory/3640-7-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

        Filesize

        64KB

      • memory/3640-6-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-10-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-8-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-11-0x00007FFDAEC70000-0x00007FFDAEC80000-memory.dmp

        Filesize

        64KB

      • memory/3640-13-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-15-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-12-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-14-0x00007FFDAEC70000-0x00007FFDAEC80000-memory.dmp

        Filesize

        64KB

      • memory/3640-9-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-1-0x00007FFDF15ED000-0x00007FFDF15EE000-memory.dmp

        Filesize

        4KB

      • memory/3640-4-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

        Filesize

        64KB

      • memory/3640-5-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-2-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

        Filesize

        64KB

      • memory/3640-3-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

        Filesize

        64KB

      • memory/3640-0-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

        Filesize

        64KB

      • memory/3640-75-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      • memory/3640-76-0x00007FFDF15ED000-0x00007FFDF15EE000-memory.dmp

        Filesize

        4KB

      • memory/3640-77-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

        Filesize

        2.0MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.