Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 18:59
Behavioral task
behavioral1
Sample
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
-
Size
205KB
-
MD5
974a5ad1bafb5b79f82344ed58b4a4e3
-
SHA1
eb5a049eed82dae88d367b815667502d72b0e34b
-
SHA256
ed76647779036186cfe280b8a241fedd1fffd5950d21cf9cfaedfe9fbca0fcab
-
SHA512
5b2149e16b4c89f13549e1ba0390ebf1a7f85a2f90fe2dd1c3ca935a3534be8dd349238dbf08f82d9dbd49d051b6f2d3d4a795e1d4cfbf3800f8fb6a7ad2839c
-
SSDEEP
1536:StPrT8wrLT0NeXxz1DwezHrTP5yX5J8b0KYcwzKIMkZQoJ5LqWIS8W/E:S2w3keXxz1DfH4cQz15J5LWS8L
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 4016 WINWORD.EXE 4016 WINWORD.EXE 1096 WINWORD.EXE 1456 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 860 EXCEL.EXE Token: SeAuditPrivilege 1456 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 4016 WINWORD.EXE 4016 WINWORD.EXE 4016 WINWORD.EXE 4016 WINWORD.EXE 4016 WINWORD.EXE 4016 WINWORD.EXE 4016 WINWORD.EXE 860 EXCEL.EXE 860 EXCEL.EXE 860 EXCEL.EXE 860 EXCEL.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1096 WINWORD.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4016
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:860
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD542fb97c861fb0400877cf26cb6fb41f2
SHA14b858f26fa4e35e65509a25bee693eef5ea411a7
SHA256b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772
SHA5122ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD54446e553ce8ab1dae61020205c6d5f9c
SHA18ffcd88834e6c3c3ad4ebb0a3ead92eb5faa4412
SHA25695bcacf90ba936a4d42a1f7d556dad77fd14f5a1733d03396fb0f45d91607559
SHA5122d4561db5f6ca70e3b39c90acd1448c5327b8fb62df492cb25a9d502577f233aa35efb4520a48f9195ab1268425da06f60e0606235fa5d34f3f47fa5e91ff455
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5b9d7d3f4adba3c90581d79a6fe9b1424
SHA1a684cf9449750b29c75e39b91f39276af1387749
SHA256c475e8b9f1beb9cbc22974ae0fa503f8bf2df526e5a779ba6247dccc97b362bf
SHA512dcde498ed7db8c0e7e1929e5d7e1f0cad6c0b46ef93e89533e0d20ddcad140aefb1569345874f369112532cec08b061e52a4bbfc962cbbc11aff26ce052bbc7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD51eb5be06ffc3974784fa357b5d2ddcc0
SHA12d54518af5205d09941f16fbd77ce2313aa8fe1f
SHA256afb0519838d887bb77c81e6b060b1f09884d4afa2eb4f8821a5e18e6ba0f4b46
SHA512d46bac88c92fd664f79514fb78071bace73bb7afbbf48d8d1bb0ca96b91af4b1205450900b652dc91491c7b86ec738394cc5bd7cf704a83391043d036787ca87
-
Filesize
537B
MD5897b8c3b423cd565b6cb0610dbca1aa7
SHA1501830951073e9bc837441439dfceb14f512a6c6
SHA2566d9c6dc278e457d782cf302eafc75016be8b97abffc812b760d3e23341aaea46
SHA512cbdcead3168c650c7586178211bb76885c84ba3991bad7692e1ea9d294d6422ee1aabfdd02239a03fb441c993b0522fc9b65d71e58814f9bd806053944223e40
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
110B
MD5e6ed0c66acbb1d95f85a815ac1579d70
SHA1fe22907c82469173042a58d26eb80d7857856434
SHA256bc628855574a45a2017a137decd4a16984ebba405c449a5d0cc157ca104b6b05
SHA51280d1cac0d62382304c9e35887503d4fe44feff513d99b5404333525da681ae158b9e9c1b4c8214f7100c26fd0cc1fd2ad96861ba1a8c6eb4dbffa957d0fcd211
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5f071a043b1c365f6a8b740d9b67b1114
SHA11f161d05b14f015a8ff2f5b26dafa6e0e3f8496e
SHA256d276087dcfbee90fe358e871bdbf76b96b3668b5521dfdb98c3d07e325d666a1
SHA512b11aec0cc2a15cbbff96cecc094b08b5eb7deb77a89a30c35f1ce2f3b5b0cfe96136998d703feac760aa1c11c386d24475ff1e2dd285204e7185f333d8ba3df6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6EBB2A9D-FF3F-4D41-8CEE-B0F698626173
Filesize170KB
MD5b5cb0185e605a4f5c52b5570a270bb08
SHA1f957fa46879a24075d1cc60e0b909e1b481e5cd8
SHA2562b79394f70ebf66efc7f60278d4fab10f32364203ff62bd982b86bd42f9644a9
SHA512e51478a4f1193890b57cf94f1dc6e946898467bdd22279b822b9124c76ae82b70203e77e812da6e686d73487c49f2e1548607f1917584e91f1cf0ad2ea30cee8
-
Filesize
331KB
MD5299790eb4da891c0cad926473bdea5f7
SHA1dacbd07b42d91a20ba9bfcdee5cdd75ce15644da
SHA2566fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9
SHA5123ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be
-
Filesize
10KB
MD58d345c773f70821ed5b50919a5e0175e
SHA19581587169c77cdfcb69f94e0b610739cc46c141
SHA256e7e21f6c2922a9e88f123a55cb41d0be24752a81b0bdd8a085bc7e274d339622
SHA512d365b9f3df0655e8039bf724d0828c1ba9ea66a6dca1bc0ffaa3c629ac42b029d3f1b7a1fc7c4eabd06264470d6bc2afe1c4727438653c50150987d131f18778
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
8KB
MD5e259e7e81c3d72ec90d3d39e70b194a8
SHA11903af2965876ea5fbf09bb76277fad45985d9f5
SHA256249e28cb78846382368aeb61d1ea423c16b968fcab018b9ecb9e291c21e6f85e
SHA5124831320e65ef85283cd9eb069d2ae863820c4463f291de875f07758d457fa61571d7f1edcfc968d6a8c6a39bc11d4c661dbdbc71c71de915666f5493903b4621
-
Filesize
209KB
MD53b5bf706594eebfa631a80f0e45dadc0
SHA17ecd644994474d8ae908951086135f80180f8b88
SHA25659f92463f7dac87ec769c6d9538011add67e2a7f82d1a6a2483d8e92ae68ae90
SHA512e991737d456ffda79669e0bb0103a960bba67ee120295082caae327df8ed58ff1e9dab6918110084e6a17b7ea0a3eddf52147abafeea821ad1aab53317e7f066
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51b0583f1fea982f1f8b1a0dcad51df31
SHA14f0c04ab3c72af6f7248ab070a760af5e98392ae
SHA256682dbd27655d31bd0694bbe2f82b944a682486fda70cff39f048e2ad8571b2ae
SHA5120b82fd88f85574ac1c6172bc38b2bf0a9bb4f606eb00319f1a10794c2e893365f40b6f1eddacef6afea6df891f03f6e30e9d7696e678d9922cde98daaa7db7db
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5a0899e688837e96c9faf721dbbf55a27
SHA1dd3ac49df11b3a492b532c824d8cf7976ea5ef81
SHA25653f3147100710c26f4c776348eb004a26c6e6056c6e4318a7582cfcf323207c2
SHA51239344229d2199fe010774033a7309d3d73399ae779695c1d895c3fb104902c8a80dcceaca5f5b04994d45e1f6c425de8da57e36c717fbfdcb84a208c6b49b126
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD508cadad6c224ccf29662f2ebfa5b8ee0
SHA1f9f004708e7fe43d3da23a9d9d159572ee4d135f
SHA256c557c1b6d6d4fc3900eb48cf01f8b475f9e51b264b700a04b329b0cd41f03fe8
SHA51280b9599ba87e1b45fdecf6e90bee9f1a77907a65d33cf4404755eb415bef5d4ba02e0e2e62ad9734154f0111406c76a36fb0eac2cc3cca5cb3966edde2699401
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c09074e913e73e1fad4d6011b9905b36
SHA1be16ca406d4ddfb9ade0b4444028718054610f72
SHA256554ec301fa83551ad9ef5c19190e298beffc08555d733dd3c5d5f79cfe9666f7
SHA5122658ba588cfcd0036d44565c31b1876f51679a4be4c4ac260ae309d5f828a7edccf5bbf8d7a4b36fa70708a28811be907162c1af57d75d331b63b251e186d085