Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 10:52
Behavioral task
behavioral1
Sample
0316284f836c4cf6d877a6ac1b40d597_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0316284f836c4cf6d877a6ac1b40d597_JaffaCakes118.doc
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
decrypted.xlam
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
decrypted.xlam
Resource
win10v2004-20240419-en
General
-
Target
0316284f836c4cf6d877a6ac1b40d597_JaffaCakes118.doc
-
Size
436KB
-
MD5
0316284f836c4cf6d877a6ac1b40d597
-
SHA1
c09b7818616d35b19072d508f101fc1ebe7e68aa
-
SHA256
5399db990c923676dda657b10d388839fceb0bc0670f7c536fde74475250c067
-
SHA512
46b311d798956c84bdfe4caacb3af5573b25412c9671be93b6c6de7f840aa0ecbc85dfd57052761f69481d2dce791661e3443393d3f3cb8fe0feddd8167ea9b3
-
SSDEEP
12288:tU4/+/gyXzvh2iFnwBWScVKM2tUN1lsmEMtEV23G6nm:tB/YLz7no+D2tQKmEMgKm
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4768 WINWORD.EXE 4768 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0316284f836c4cf6d877a6ac1b40d597_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4768