Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 19:01
Behavioral task
behavioral1
Sample
974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc
-
Size
242KB
-
MD5
974b3f4d15efa34e473f00b267b356ad
-
SHA1
b3bd2f8b2afa3dcf59af11852f72ea217470773e
-
SHA256
4ac75a46b0893f4225cd7aeffa73fc9876277928900b4d4acaf5b6c0aa09dbcc
-
SHA512
db53fc827ab948fdb74abc6d3ad63b8a0feb244f4615fd9a104c4458cfbf17295af88588f729e83dbb2dd8bba16b7d485154b84c58c8a34e3559f8f54b577329
-
SSDEEP
1536:rterTkw9HnXPJguq73/IKB5Kby0gLIHrTPsyBK/dRYd0x+FTHeWkhIfcsew4smu:rvw9HXPJguq73/IKBWyeAdSd/TH0IUsT
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 208 WINWORD.EXE 208 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 5520 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 208 WINWORD.EXE 208 WINWORD.EXE 208 WINWORD.EXE 208 WINWORD.EXE 208 WINWORD.EXE 208 WINWORD.EXE 208 WINWORD.EXE 5520 EXCEL.EXE 5520 EXCEL.EXE 5520 EXCEL.EXE 5520 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974b3f4d15efa34e473f00b267b356ad_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:81⤵PID:1600
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8FFFAFC4-07D2-4B73-BBF6-84D98D9F8D40
Filesize170KB
MD5cec9f694d1f703a12c64e0c189624998
SHA1d2cd0668788f336a9a0dc54ac178b74979442945
SHA256abf63c49d0e521e905a428283801a87a4cb7d9ec11b65308bbb44cfcd9df3cee
SHA5128b5fbe70c6aab3eb1c934b22ffd9427a5a1dedeea8a29d890b9eb1a9b286d9635489481d29fe4256a7b3880cc6324b462e3a0e6c8cc38259449badf01e26ba5d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD59a1e9a7107a54ef02fd79ad257653b59
SHA1a2f8800525a3c51ac178589f6cb8f4fdc0078d16
SHA25644e24d38c4ebb0385ee6d0d8c71ed72ae60b37205eed9973acad1fd56fb13ec6
SHA512e0484fe2d6a8f51d98bf7c06678ffce820efe7281e2fa7a620fcf4e4fa61e49a1dccd4484f8016257585da471e43d74e94dd7db6c981ce1cbfa2647fc993786b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5684bdecdae0b000bd410e8f42666a2aa
SHA102b030f7e8dab59ec8b9080fe76507d0bd7c8396
SHA2565be3e5832791f55e022c89550a7d37217a439d623f4e3bb75be6a48b4ff17941
SHA512a71a2671c6352bf9d0d7a0d31b3a7a9ab85500514944dab0cbe627aee7240a83f9ec1d2b1e482024a0cb8c0c64d53cc3bec0d1fcb134c40d80eba9168cbadb09
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD554fe140e5fe764e1cd5d4b93bc3c4f16
SHA11ca2b2fe4cb629c7a709996a4cb67d54ee1c7e3a
SHA2563694e22cc314678332ac9faa4fd170fb82c9b33832125a388c283c854114e5d1
SHA512fa9642faefc3ecfc1ffa61e9ecf3e4dba19dd6f19754b52712f323cc02df6b814ed0370b3be6b9d7d9c82a658b5222e4154b6ac12c42f0b72bbdaa1434eb30ca