Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 19:18
Behavioral task
behavioral1
Sample
97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc
-
Size
243KB
-
MD5
97577f16260e6f0a4aa45450e6a2a156
-
SHA1
ba236bd03be3bbfbfd1898d6993c9321079fe0a8
-
SHA256
9bc77f6c5cd90159c6171fbf7e2131048b0e5d0dfd21cef3d8b3f086dffc6953
-
SHA512
f8ff8102b733c0feadae8fc50f903980ad5a7791e8c415969d18b7f222c4bd1e4cc6e089162c5f8d8fe86ebd6544798ff07c2ee44516a6da3a8903aee0c17377
-
SSDEEP
3072:UOw0pklIiuq73/IKBdsZMdSYdyu0O9iCF60:UO5pklIo73wAzUYQOpP
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4600 4084 DW20.EXE 92 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4084 WINWORD.EXE 4084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE 4084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4084 wrote to memory of 4600 4084 WINWORD.EXE 111 PID 4084 wrote to memory of 4600 4084 WINWORD.EXE 111 PID 4600 wrote to memory of 3296 4600 DW20.EXE 112 PID 4600 wrote to memory of 3296 4600 DW20.EXE 112
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 40082⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 40083⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3296
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:81⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5fd7c450270b4182fcdbbb654285ebe25
SHA1a4ec73c4b94cf2af94b4b0ffef6c073f6e874b50
SHA256b7a38fb0629b85de293a116cb5197c70fec3eaccde20cd91eaa95356701c7e4e
SHA512d0bb2bb5851a45831ba8b025442387a0fee4b4fb4998af49186b436a3fed00517eaecab848063847d322001c68835ddfdf845457d7b1e45b60672e4182e82fcf