Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2024, 01:02

General

  • Target

    985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    985b1fff593020af8a5dab1b9a431863

  • SHA1

    1649a3103088c85fc304760c552f8bd30b7a7502

  • SHA256

    15dd0ac560d8c37a7b49998aef5111f5615cbd1c3ff7e570e387684ffde709af

  • SHA512

    af573a28c12016fade1ead01386f493d8fc7e09b951058095697cdbb19b692d9b35a78d514840f4673473369d0f1999981a133b3057b24a19901f660c7a3f445

  • SSDEEP

    1536:ctPrT8wrLT0NeXxz1Dwe2HrTPNyD5J8bPtjhMEbFXk3mdYis/:c2w3keXxz1Dfug4qEZX0L9

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1116
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1268
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:892
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4392
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

    Filesize

    471B

    MD5

    b8c0f9edc69747692df1d72ef62a993e

    SHA1

    14b4069ff68209aa1f15b87a6e063118e0c9d92b

    SHA256

    a8a0ab8dad87e93e2c746556420b921f150388943fe45bab7f9c8ebb222be40b

    SHA512

    cbcf6286918ca3458be7038c74dca1c1cbe530e8f364f31da99a5c8b94bcdb642e295b0ed2525ae4098e4d3a2d8e704756f570fbf13b6927e31431dd0ad8acaf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

    Filesize

    420B

    MD5

    35051c24742e89e34cf9784a9ab07ba8

    SHA1

    2ac404f2af8535a53d440705d4b5a1e5398cb4a5

    SHA256

    1deca664b2555fc611bde7bab71d3e3ae2b0d755a25107c800d13a30c9b54118

    SHA512

    ef8efb1c9dd496c4d5a622d4f939e8ec573256202dbb70c41285a2d4026314bc3b5cf68f2f6540caffdbe2e827e4b36b28d825be3a6e94be6b7644936b7a9b40

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

    Filesize

    21B

    MD5

    f1b59332b953b3c99b3c95a44249c0d2

    SHA1

    1b16a2ca32bf8481e18ff8b7365229b598908991

    SHA256

    138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

    SHA512

    3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

    Filesize

    417B

    MD5

    c56ff60fbd601e84edd5a0ff1010d584

    SHA1

    342abb130dabeacde1d8ced806d67a3aef00a749

    SHA256

    200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

    SHA512

    acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

    Filesize

    87B

    MD5

    e4e83f8123e9740b8aa3c3dfa77c1c04

    SHA1

    5281eae96efde7b0e16a1d977f005f0d3bd7aad0

    SHA256

    6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

    SHA512

    bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

    Filesize

    14B

    MD5

    6ca4960355e4951c72aa5f6364e459d5

    SHA1

    2fd90b4ec32804dff7a41b6e63c8b0a40b592113

    SHA256

    88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

    SHA512

    8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

    Filesize

    512KB

    MD5

    d1c1ce3ced493ff9d035b7d341b6d3eb

    SHA1

    a50a3a6228f0c4e9c99fac7da26ce627f45f8556

    SHA256

    f4af552f111bc1c7d8b48699b9da255ce4edcc3d2a9122a26941a2e0644dcc09

    SHA512

    e33296f482ecdcc1b7352c49d3a1b82b8b31550533ed65fec0b822430fd0396757b33121e68591b07aa9592034f0a7dce7b316f896c8e4bd312802203d9a988f

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

    Filesize

    128B

    MD5

    1a4bd91a5bb892684912659706e1e61c

    SHA1

    470791cb18964759396930b83586e021aa916397

    SHA256

    8c7e4bfd0a6d668da08b9b3717caddfb838bb8e87bdcbc1806b98420dce4ca98

    SHA512

    3387f95b5913e97fa24b63424dfd6f3ed367cad49d9e0118ff4b1660d9071825f2d08ac1833d2725782723f95f744ccfdb546181133fa2eb6c3a22cf1f4ee337

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

    Filesize

    192B

    MD5

    4eabb6fc2695a5a43afa79f1a75a941d

    SHA1

    677d4724956af0aec27396340a2da7a80ac59e54

    SHA256

    5c639d8a1183d08acb1c0d4cb5579204f24885bc5b20c1a5fb72fb0314427ed9

    SHA512

    8d31a75bbfb87a744c05db8f2205b5490770550a8e081f995bcb6be623a87a21675c021a9671f5f10598b771b0d9a6e4fb2108d50e8b0a70feda97038e0ce9e4

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0ACAE7E-C5F0-4E0F-A17F-C303514FE9A8

    Filesize

    170KB

    MD5

    1d1962a22fe10255bb9e6397368565f8

    SHA1

    2199f069555677667354b43a5ac02e910d52c321

    SHA256

    e19c064913debf3d9656609cd728385c1e51191d61bcf23317fbd3f79fb77261

    SHA512

    43e7d5167f422dafb31dc9df6bae59a155228aa6cac15186110b734330caccc2a10a7c0ddb30c9624f4c4526434334bd6d561c1c02f862fd973d2f7b22630a32

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    321KB

    MD5

    5b4ea7676f0e3aa19f87eaf81cacfc69

    SHA1

    a776b52f53b1002255d87b4ced9f0d385d4f17ed

    SHA256

    7e04d3b29ddaa7b7480f081db4d4f3b881e5945b40cd9a7582986603f8ceadaf

    SHA512

    0a5cbf228584dd5b31b8d640f498ca1003683c571c5f77963b56dc7de6de3e8f5b161781f6d8344e2029816da2909cab293161265eac390646420def640c612b

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    322KB

    MD5

    a205511afbea748b096ce39a40cd3648

    SHA1

    3284498daa3b5b9addc2cd946bb48b2cbd048282

    SHA256

    52a5651762b084c966ec5b0e28123769942884e8e29003fe3992af0cc27080d5

    SHA512

    18b1cceb69ca0993d831303b3efc14045be7ee1c8d4be5c89c7eb2b0c788075fb45f91b4ab5806a160dccfa35f61017b41d81ac9c3cb52cf85223545e06f3d92

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

    Filesize

    331KB

    MD5

    299790eb4da891c0cad926473bdea5f7

    SHA1

    dacbd07b42d91a20ba9bfcdee5cdd75ce15644da

    SHA256

    6fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9

    SHA512

    3ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be

  • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

    Filesize

    10KB

    MD5

    3d36ab00ecb8c608b99387694aa71bd4

    SHA1

    a1747b683c4a581f2a1190d7c323a110826d75da

    SHA256

    082aa267c3def8abba9f28137f7e8692516121a61468608afeab225c92f3cf48

    SHA512

    50a341e123665c4619b8689bcaf20b122b2b5e25b8022983d2cb4531283e576d499ac1f818492c47cfa3b9cbef0ad02fa760abb2e1ba8db1f7618d0ce2db2b45

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

    Filesize

    24KB

    MD5

    33eea2792b9fa42f418d9d609f692007

    SHA1

    48c3916a14ef2d9609ec4d2887a337b973cf8753

    SHA256

    8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

    SHA512

    b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

    Filesize

    8KB

    MD5

    083b6ffd3ad6d6577f772a5ecb3ec394

    SHA1

    c0934fd927c13b76086f274db55c29d96e74220c

    SHA256

    71fe1f648000bb3af523f52cea6c68af959155d3b8db4cf8fbeb662a13289363

    SHA512

    46db8502c99c10fee934f0dbb3648363305b9e8d73350820da654e4de4fbb06ea3ed94846898a64c0ff7b861196d99185040616199cdef115235b8e389e06702

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

    Filesize

    12KB

    MD5

    a9c44255d0c25d26b7060069e8882135

    SHA1

    a30c735f662612785565898f2aac5e59eac76d55

    SHA256

    af539487ea047042252e40640ce9aa4b5d483fb37496633273c13b34909fa823

    SHA512

    b41b81ba01ab1843be05c74bc8d564ce48c4b2e98c43969b62f66c12c1e17546c9dc1b093d6bf42da9f524dd53b1e74285152c095251966301740b8433640d11

  • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

    Filesize

    8KB

    MD5

    153cafd95f478f0fb9cf93d3424dcda6

    SHA1

    79d3141d9d0de579cde4fde6ea8d5a8dfb937e35

    SHA256

    3f1e50c4b4943b952b02871ed91489bf61c67adbf38ea29cd6a553ad4e45b45b

    SHA512

    f03545976a6cb0174b65f8e7956795ea9385e8c50e11375e1bf7861dc6dcbb5caedadf51fcd4caf7cd921d73162b66ae56652ed2fca7433a087395a587861cf1

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

    Filesize

    2KB

    MD5

    6a62a1aba4399bfaa527af6434df8b2c

    SHA1

    edf971332f4a455cf7f621ec1091eacf088ae40b

    SHA256

    71dc75fa61d5590e509ee53024885f3202c21b45350c2a9f353892d0451b32da

    SHA512

    750d55c0f376a42896a9d3056164b35b0500c984c27e7fe0e08caa62ef97e3af5eaae2d7f322e59929a944ae223cbf2b241480ea04f17f0bd712372f2e04df44

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

    Filesize

    2KB

    MD5

    c5b5ef2a03a15da8ac71ec86a38e927a

    SHA1

    1852d311495e7024e22c25f6bc507616b78c5f92

    SHA256

    32382781bd229aa141a31f88f26e5da08d6ce78b578be4a956ce3308f3f9147c

    SHA512

    622a0c3779054d756f78a3c7b50c04a10a031cd9a5ad3817b70aa35555118e40f4c6cffe2436bb8bc5daa60153a9fe083db7e3627d3b1b1cf6dcdfde846b9fec

  • C:\Users\Admin\AppData\Local\Temp\TCDEF8A.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

    Filesize

    148KB

    MD5

    2ceb8694ef805c34ef3d89d5fbbcf44e

    SHA1

    fc2044b96aae4d5bd5e40f8d31bc7b37167be9e7

    SHA256

    305519c1296341b9125c5f405d672d0bf98bd2e61109b510bb3f3c30168f535c

    SHA512

    a8ccfcfdffdd14821a691fb1049cb2231d5b3c85c8c403cc48ba77d09487f56868f8a9dfce8a3795be0f14ba8f717a3446ff6ef3b3d049283dbfae947f8db5ee

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    1KB

    MD5

    cf6be6773d2e9c2dbc8f03427d3deb72

    SHA1

    0886439dd249271fbf82dd050273368a2409c798

    SHA256

    39d783ea8ef6298ac9f904df8aa5029c9175a69f2095d8a87ca4a2d5ef65c6e1

    SHA512

    59d301782f61c9b116e8734b84866ee6b67ef0fb0952df2574f6c1433c86bceba2c1f2fd2ea10b5bb90b696874b6b43bd6a73a3b892cce328ab565568efd52e0

  • memory/892-2081-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/892-2084-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/892-2083-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/892-2082-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-12-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-214-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-161-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-0-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-1-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-2-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-4-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-6-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-7-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-8-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-10-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-11-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-3-0x00007FFDD548D000-0x00007FFDD548E000-memory.dmp

    Filesize

    4KB

  • memory/1116-14-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-15-0x00007FFD92F00000-0x00007FFD92F10000-memory.dmp

    Filesize

    64KB

  • memory/1116-16-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-21-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-22-0x00007FFD92F00000-0x00007FFD92F10000-memory.dmp

    Filesize

    64KB

  • memory/1116-19-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-20-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-18-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-17-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-13-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-9-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB

  • memory/1116-5-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

    Filesize

    64KB

  • memory/1116-2129-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

    Filesize

    2.0MB