Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 23:03
Behavioral task
behavioral1
Sample
9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc
-
Size
239KB
-
MD5
9bfa07d40c837fd3a4fb4a7dbdfd058b
-
SHA1
eef867b53ec53f7df7483bc895cc063e6c585d27
-
SHA256
5d64009a7406933e47907c268730375d04872294a6f87853a1d4f464d113608e
-
SHA512
22dfe970ea33d914849ef8e4282a81e8b1b0a7d67f7de79025353f5f20fe977ebb053cf9cc2199e521a2228a58bfa3a78e35858259b1d1e7f04285864f02b16a
-
SSDEEP
1536:AterU1wDv/6MaETOgnHJcIKBC5bvzhQHrTP0yJK/dRYof35FF3rKCIAfMmlL:A/wDvWETOgnHJcIKBs7OQdS02YL
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 2092 WINWORD.EXE 2092 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 4772 EXCEL.EXE Token: SeAuditPrivilege 3084 EXCEL.EXE Token: SeAuditPrivilege 3500 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 4772 EXCEL.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 1156 WINWORD.EXE 3084 EXCEL.EXE 3084 EXCEL.EXE 3084 EXCEL.EXE 3084 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE 3500 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfa07d40c837fd3a4fb4a7dbdfd058b_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2092
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4772
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1156
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f5620c92cbdc293c3ae3aae31aef598b
SHA11f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA5126009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD576cc24a11f49e96f41002c2356a77a48
SHA13068840a3364f8034b6ad3ca849a9215e4a9546a
SHA256df50058d3ec403b30ace94fb0c61ae485fd1c99c3b4726a1affab76d9eebe7cb
SHA512d6899eec84fd4f24cfd228786bcfa9a9cbdf9505b453c80c75b24599ca3ea91c203465ac14bd46731a7a1cc8664c83ab56f0f84116d4d6c1af4cbfb0945cbde9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5b917b8b7981ace27d7324feca60d72c8
SHA1943cd7270117aee8f398a9611e5427f9e1ad0fde
SHA2566bb49d25ab0ab137510cf600c79f02c93c0e38f6fbacc5f48f6bcda4e250101c
SHA51203fbb7b595862ce62359b9e12272338608cce4855ea1fe9969f4000566e5fc244851313f6b7f0655014f497d0d26541144fedca0165a3a96341690849f23377e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD56fb5f1fe0b9d738c72fb3dfac873caed
SHA15f2f8cf23d4c38f6f49450d8885e8bf80a47e109
SHA25680050ae8e497e7dc3828d10808faa19517f83fbd176ab8860ed89c911508c919
SHA512cdf8f595275eb3ba6b43cbe8b2fe062a8b3f4084afac4951bf35234762fcb9d0fdfdb3636e6afd0a58f39713de4bda8d9277fbc4b71502739475f5b7ff533c83
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD532e7fdbc7358f9d87374bcf0ee5adf24
SHA18c9bf004b95cc5df77201b50ccdb85c3642f1525
SHA256c7b78032bdfc84eb1ca4802c7ab59675e7809d01343a5f34261a44782c380721
SHA512bdde5c5950c792e4459dd87493900dcb7316e92d1595a7d1da973d8054cb15d8aa530d58d1020a9af250b5b20bf55f25f629fe9e736586701e7ea2fcd95dfbce
-
Filesize
128B
MD53e84a345b8d2b60cb8ec6a22db461e3e
SHA1fb2263f592ac924e75ed7d7031b6df81669eee90
SHA256eb09539ba84ad8cc4c4e88581b697bfca3dffaaaa3203b79a567766d2a2f61ce
SHA5129ad1126cdae0731f4c1d157bed85dd87d26e406e45f054fcc29964dd50eda96feb457c5a6537a855bb659230efe74cea0a00aab928b42ddab28eeb154d5839d2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4A6BC71A-A8B7-4E5D-9BDE-E5036E914577
Filesize170KB
MD582c3c02cd3f47d21ec7425375c8fea41
SHA121890003aee7adfae6a606a560f9ff63cbae1e73
SHA25681d86e633e08cd77c0bc74b2b8c11970c4d085190737cb07de079d91b842e5e9
SHA512c4087daac3a9e6838b984c51971f9a1c81c4c55317fd2a7c422600074274c08640da124bc86dec00d0e200d283b58df37af977eed0c4b5fd5369c77a3b29cde0
-
Filesize
323KB
MD5054f918ad248b5c1808f1e67ded744e5
SHA1cdb8cb9e21d44712395d3a5b933e0ef0b28df507
SHA256d25ebb1f8255f3a92b3fdfceb6bbd2f3cbc279cd678b58b2d2aee9c0d19701ad
SHA512f784021d16c7ac8d0db25cd81582195339cf9ee8679b0fadeacfc237cc964e10b2087e33972dabc97240acfb6e306a9ae640744d4cfd67f1106085e044d1d72a
-
Filesize
331KB
MD52d72c7fd107986dff9d09acdd4f8255f
SHA1f60da83ed901faee7352589e46ae5a361a33af2a
SHA2562bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a
SHA512063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93
-
Filesize
10KB
MD565750a5c45e0c62d81270e584b2c394b
SHA18d6655adf2f6f76fba2d3c797855865295a817d9
SHA2569bfc40ff01f6400770af577666da79b6a30befdc3f3971050e622116836c72c2
SHA5127986eb385e980809955fe784bf4d6dbeada78afca470ee897acd634716cf7b9b29994b2f16340b2c19747d1c9a82955da32b252bfa91a6560603f3e45f1c5752
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
4KB
MD5e6e548d5dd4430babc01ff9aa5af35f2
SHA1096bfc49592087f4bb12b31391ec099679217110
SHA256c2abe874aef9e0ffb489c2fc5fff0f118e90fbea44c7265ca709c0bcf6d8f1e9
SHA512f8cb1daed3de95eeb42eb65d0781d42c179e943a5381c4728a2c85023cf8e21ccbcedb8fd5150a9e69742de85c0ab242518003dba66e2a5ffd0781609d9ae2e1
-
Filesize
8KB
MD5ea1ba244da74041e884335d330789b03
SHA1cc51efcdae08c28e35f726b3e04de240601fa6fd
SHA256934f2b773ba5bb72580892ee620a3707522c976674f76cec86776d8edcd4ba0f
SHA512cf3a9ef9af360e3db7ffa316726dd1cac13cc40a1edfd103e5bd3b66faebe290d179d926208e01506c61ea1781e47bfa5bf080d14c0fb97a2ae919ffb8238942
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD52166332751de6984843438a13ef18644
SHA1c6f32e0d93b5ec4eb59334277e82ab752e0cf9b9
SHA256096cfeac372a310cf1e78652f4c27bbba11ee8d27f1be13a84f99fb8dbf0686b
SHA512aeae25294364b369b8c669694ca01d59e5e3cd3f0b9ef056e260611879c79953c261a626c974ab0708562fa50944ca52bf83703fe78e2109a33e48906b9f220b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5ca7b049fa03268c5ee0da880671c063a
SHA1e10fcdc0b2d367e2c10de302887a7c3bd00f7f32
SHA25660c2fba45c3e6c34933b02c7119ea9043b2090df0cd04a293245d76e54e130c3
SHA512ea6d25df67327043c52ce881d28862de0f0bfd992cb26c1e808cf9efb97d5541ae8861b3fdc17ce42c2598a6736290bff76997f79e5524968988c95ccb3f3e33
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
148KB
MD51760aa1a932010115a3d1a5d98cc061b
SHA17b300347285601760d902e24295364331870021c
SHA256250921b4812499d59c991e1657a6e361682be6aa3ad7a289930162cbaa98cc9d
SHA51210a154d78967e249b13e50588d7c594894fb422ce38c6b6583e3a3ee1f88d6f58237719bb5138b61d8e970da2048bd282406eb828bd735f074c61234b7b44cea
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84