Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 23:10
Behavioral task
behavioral1
Sample
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
-
Size
234KB
-
MD5
9bfedc7eaf8c3fab6b036b434c3571a6
-
SHA1
106f7f5925ec5be17d59030967905fe9f78722ac
-
SHA256
7af2939fc061dcfdfcc640f224a4f1f73efa5b49113f0900324def05c0ec84d3
-
SHA512
630eca49e7a87149e472e52a00e253801279fb804349aaad847f0eda4756d821b5711720f355790f2fb9636b9b668b5ee10e3165010c39d4fea412cb6538f7d1
-
SSDEEP
1536:CterThwxEM5OsmqrmrAK9hbUrHrTP9yQK/dRYz10RzwadtVXMz:CUwxv5OsmqrmrAKH4adSzKkMLMz
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3380 WINWORD.EXE 3380 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 4948 EXCEL.EXE Token: SeAuditPrivilege 4396 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 3380 WINWORD.EXE 3380 WINWORD.EXE 3380 WINWORD.EXE 3380 WINWORD.EXE 3380 WINWORD.EXE 3380 WINWORD.EXE 3380 WINWORD.EXE 4948 EXCEL.EXE 4948 EXCEL.EXE 4948 EXCEL.EXE 4948 EXCEL.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 1164 WINWORD.EXE 4396 EXCEL.EXE 4396 EXCEL.EXE 4396 EXCEL.EXE 4396 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3380
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4948
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1164
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f5620c92cbdc293c3ae3aae31aef598b
SHA11f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA5126009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD55610d6280e914ecd9b9592b024ce1f7c
SHA117bd33ed229304dd640723a658f693ba76ce43b2
SHA256589ec3cfd7a9da8d3bca1fe02f2c2b20b3337282a88629586a2c7cec801f7189
SHA512bc735521cd7fb7a95956284628ae13d2b821a3067c9e4bef3d0ce2e9c453a17297a357fd3a9d522b60a9f915fd9b2147f788425237004b88d27d2fdb6256fd11
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5e52708a5296d226b2c7dd321d977edfb
SHA176a5656bc39a8dab8507006c6b33366d3c832411
SHA256ff2c1a5eea246d73a2d9ebafd8fd75e0ba10c7a452e1aced087988e1df072056
SHA5129d42ca5a29d2d9da755447b6b728e036e194929216fcd997bc54e44f27e81c72f27c009859ddfd389e4ade8f5aad9e41029d98a1c2cfb4e765df9e313a82e4dc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\909D7E49-A275-4871-88EF-849635690598
Filesize170KB
MD5d2fd93db6e8fdcde232c5f57a96b9cd0
SHA1a7322f5b83f91acb832ae021dc0d7bc4d612d7a2
SHA2563867bdfe9d367fdb809e79867168ca58272b0613ad710758c5deadab8e67adba
SHA5122c6837df22fcb7f7d67d622c97d9b38c0f91c54ec2cc5dc198c10b1b6bf150aacffc59e6dbf51046151385a87b6f723a558dc67ad132e3bb3246379e38b1dfa7
-
Filesize
320KB
MD51860cdd48aea9511bbd598c3d6e80ec2
SHA14d80fb389297d1b42330fc9cc043890b7de843ef
SHA256c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA51264718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5
-
Filesize
332KB
MD55f68d72f3803dc30a565994a9ac24774
SHA1dbfbc685a61df1cf2a8f338e61a8d9358b0b41a9
SHA256e836daa9209f5558fbd01d5e744a5a733a0c583ff630080ee4a15bf5723ad91b
SHA5124b72e2350ec6484e77e2102e8aa23c78dc314ec8d26c215d028d72f68a184fa6065053737dff375466674e6f510d96d7a04a46076ba386508b1584ce6e2b584f
-
Filesize
11KB
MD599dfe8f131d2e3ea3848b0b0c403da41
SHA186d4f4bfc77af452e64d0d472bdfa8ca1dcf626d
SHA256bf090d65fa2982e7b16b3224dd76ac8a26d8660953421873d331188bca8ddb67
SHA512cb547d9baafc82e378cc729530c87bc9c0250e935bd0fe142a5920bd8e60ab8767ac854e81a3a4fc03302b4e05c5b6d19597e22ccbc0f653a044de5d160a5d62
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
8KB
MD5070bfe8987e02e99ea805335674587f7
SHA1483eb5b20246a6dab5a56802a5acbf832a70423d
SHA256930cf92f11888f66574128eaf427427270992bbe5d5e350fec69a053493bbb9c
SHA512c8b5efed97cbb09c864bad9ba552191d1db645165d79c43d7dcabc1c2a075050d2b6b956cea0438fad913dd24a49f77ae595dab1a50a878903fe3fca8e6d239b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5d23099b642d99651898cf9b3edb05000
SHA14701fcc984d7633ae9d57f6c4adf54a055a18141
SHA256572034594c7e5fc494ac8c975965e072215896fea3f89f10281e30746e53e1a2
SHA512022453dd3cb654814501f3b453b6336745278d60e5b5194fa04ecf4708fa6e3130a0d41f94232e59c93c10001a026a3852226297eee8790fed149a0bdf41dee2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD51d58141a4845812f80f7eecfc59a3921
SHA198df47df400e7dbbc1a7e624465ca677ad270da2
SHA2560c4e1f8c0919b167d2c9415c7c8912a5d5fde44d846cf48689e3c2f754cb32c3
SHA5123b6c1823b45f57e8efe66538031a80ab550725ff00a79e00114d20515776b19308a951adc53b402eb213a483703bd5b9038adcb310adc257e34e63ef4f596207
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
148KB
MD5c73600c10c664c198b2bdabc77141877
SHA12073348fa5657d745c371399ef27f6e7ca223d94
SHA25638a0d78fd0dc5194f40c4c048a021f408ec104a5b0218ab95378579abdbdab3d
SHA512afe9523cf74317a1f517d2aed1ec61b619a6dad9ca134488d8ba9abb21c3b13773082bb67d63fb68acb90f92b60ed7d6558c0212ff47b6cc438a1ed39e5c4297
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD51ae37bd6ffaa0248ff050991d66053d4
SHA111691ef63e5f1ad3551840f0acadcaf76052e73b
SHA256e63b5d718dc49ef94715ac1e1908332b3fc7cda877679eeadc9760bbd72a75ff
SHA512ad94e68d712f9ec454d050df322575528f5c966e4c695c9308b61614f726ce6b869393602035f09c1bd88a8368efdea8f1c82c3cd719d4631a85e7a9bb069a94