Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 07:36
Behavioral task
behavioral1
Sample
13f20e9d4b552601d7a88a803d857af3_JaffaCakes118.doc
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
13f20e9d4b552601d7a88a803d857af3_JaffaCakes118.doc
Resource
win10v2004-20240611-en
General
-
Target
13f20e9d4b552601d7a88a803d857af3_JaffaCakes118.doc
-
Size
45KB
-
MD5
13f20e9d4b552601d7a88a803d857af3
-
SHA1
feb110ac2d91d4a53d719a6aba208997be9e8325
-
SHA256
33c5875098aa892827dfc86e762bc5c8d45fc7c9262865aac60ff64b8c06a135
-
SHA512
723b053e0ed90930a18317095c16ef35f3691a2feda5d753403809797a31f4f7427276218bb0fe0914018bdfcf71d8da6ad65eaf64fcbb80a6a09299b37189a8
-
SSDEEP
384:yMO2hfW732RenLOmWq5ve8NcOoHgugzZ2uKDUdfB8Bp4zmkc5L0Xf1ec9:yR2hfU3ygOmWq5vPqguuouApxwt
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\VBC3F9.tmp WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13f20e9d4b552601d7a88a803d857af3_JaffaCakes118.doc" /o ""1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
4KB
MD5a11d601e2078d851b0b218222e869cfb
SHA16df919cf12a01c863616caf206ebdbfba4c3a6b7
SHA25692664891ef16e805cd94d7c6d2e143dc01d89cdd18d831c6a07ee062369f1923
SHA5123953e6b14f09797e610aab39bd087c6d6e754ab933edafec0fbf111a599434155de187c317ee0fb4a25de6d5c6761804b1a420b7c98cd90bbed00052953115cd
-
Filesize
26KB
MD5bc554dc0aa4d1d4f492bf8dc71f30e34
SHA141be91e3384cb085bcafe8efc6e30f2a4003e4fb
SHA25678e6405dfb58a743b6bcf1bd8f2e1d0d70516ddcf1a98f30030034ac41faf912
SHA512802157b09f9924a153b6b160da6c9efbef55083a5a129f9de3872d77d4d90c1d80b3d1ac9b7bc2ae7d06974bedb324c90259b70b5500c694fba9db6f0f063ba0