Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 18:46
Behavioral task
behavioral1
Sample
973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc
-
Size
241KB
-
MD5
973fbc8411b62a64fe079e7b50f663fa
-
SHA1
592a277ed9b564df350fc4b7f5f68b439d4e33ac
-
SHA256
a2f5d168e115027b80d8445fd7b48504a49b2d04c603e404ac1f2d4ec2708a0b
-
SHA512
26e8dec8b6428b93e1e304d68a2f8b94ddf8905e125341e069781fa3e79478dc276ebab8420e5ec1101923ebcee7f88db64485f51d679efdd8a69c0d010db317
-
SSDEEP
1536:0terTkw9HnXPJguq73/IKB5Kby0g1CHrTPmy3K/dRYBEbk6TXubT+rWwta:0vw9HXPJguq73/IKBWyOcdSabVUTYhta
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4904 WINWORD.EXE 4904 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1316 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 1316 EXCEL.EXE 1316 EXCEL.EXE 1316 EXCEL.EXE 1316 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4904
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD542fb97c861fb0400877cf26cb6fb41f2
SHA14b858f26fa4e35e65509a25bee693eef5ea411a7
SHA256b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772
SHA5122ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD526cd2674f7dadab8ad0b94835a3ba112
SHA1695a4af4a805b3052a9503c7da29538da3596bbe
SHA256e70ae8c079f6302d95c8c84c429a4f6a573fbac078cffa50d9bccdaa55de6822
SHA512005e2cd0cb0b6b7db1e7614abaa59692dbd0ecdcdffde3fe6c0fda11cd62fd91a712221ad0a92bf635675cd8e9c1adbfecc6d533c9fede6747a723b7284edb6f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CECCA032-A6EC-4374-8FCA-D6F66BCAD1F2
Filesize170KB
MD5fe52dcf53dfa17dbe2a94b99fb4702e6
SHA1601d4ca1bf1c65d186f1d37d2be485d4d5e76353
SHA25636287cd9b43bd992e5c4eb97ba65455e992f69ea1fbba31f0eb1c6cda364cdc5
SHA512b3655117f3ca848acf321ed3cc659e43758b1765727aab9e97d0e95bef7dd53c6aeb1b961deb9898bc98609708f8005e528885427f3d366d8c7d6a656ac4ecf3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5fd01e540cfce452da6a27c7786b269ad
SHA1b6195e2636e804c9c6776f705764af23e1e36e93
SHA256562ec71f9d9e592783f7d5ee2bcf343d07265c683d1a26a727046054620fcfb4
SHA5121839402c1e6419b783afafda29539cb5a37d80721b6225046baefeae02b3601784c88f9a8c69150b08b2e34e0509bd6ba0171ec1467ef43cf12ba3cea1be8855
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD52276a4cc60325cd1512d80b79981ce08
SHA1a53a8e703cb31e6dc0f393aa8466bf637649a28d
SHA256c79da9825976f007a612caee3013b94123d35b1ca887504b91093a8ee52e5824
SHA5121a17ecf6c995014957ad6e33f9272035e3ab56cd45be69661be062385e5b64f98a6ff4a2bb7f2b19b6cb5b2691a7647cbae1449bb7b2fa4c1376707e67b5d984
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84