Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 01:02
Behavioral task
behavioral1
Sample
985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc
-
Size
205KB
-
MD5
985b1fff593020af8a5dab1b9a431863
-
SHA1
1649a3103088c85fc304760c552f8bd30b7a7502
-
SHA256
15dd0ac560d8c37a7b49998aef5111f5615cbd1c3ff7e570e387684ffde709af
-
SHA512
af573a28c12016fade1ead01386f493d8fc7e09b951058095697cdbb19b692d9b35a78d514840f4673473369d0f1999981a133b3057b24a19901f660c7a3f445
-
SSDEEP
1536:ctPrT8wrLT0NeXxz1Dwe2HrTPNyD5J8bPtjhMEbFXk3mdYis/:c2w3keXxz1Dfug4qEZX0L9
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 1116 WINWORD.EXE 1116 WINWORD.EXE 892 WINWORD.EXE 4392 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 1268 EXCEL.EXE Token: SeAuditPrivilege 4392 EXCEL.EXE Token: SeAuditPrivilege 2060 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1116 WINWORD.EXE 1116 WINWORD.EXE 1116 WINWORD.EXE 1116 WINWORD.EXE 1116 WINWORD.EXE 1116 WINWORD.EXE 1116 WINWORD.EXE 1268 EXCEL.EXE 1268 EXCEL.EXE 1268 EXCEL.EXE 1268 EXCEL.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 4392 EXCEL.EXE 4392 EXCEL.EXE 4392 EXCEL.EXE 4392 EXCEL.EXE 2060 EXCEL.EXE 2060 EXCEL.EXE 2060 EXCEL.EXE 2060 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1116
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:892
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5b8c0f9edc69747692df1d72ef62a993e
SHA114b4069ff68209aa1f15b87a6e063118e0c9d92b
SHA256a8a0ab8dad87e93e2c746556420b921f150388943fe45bab7f9c8ebb222be40b
SHA512cbcf6286918ca3458be7038c74dca1c1cbe530e8f364f31da99a5c8b94bcdb642e295b0ed2525ae4098e4d3a2d8e704756f570fbf13b6927e31431dd0ad8acaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD535051c24742e89e34cf9784a9ab07ba8
SHA12ac404f2af8535a53d440705d4b5a1e5398cb4a5
SHA2561deca664b2555fc611bde7bab71d3e3ae2b0d755a25107c800d13a30c9b54118
SHA512ef8efb1c9dd496c4d5a622d4f939e8ec573256202dbb70c41285a2d4026314bc3b5cf68f2f6540caffdbe2e827e4b36b28d825be3a6e94be6b7644936b7a9b40
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5d1c1ce3ced493ff9d035b7d341b6d3eb
SHA1a50a3a6228f0c4e9c99fac7da26ce627f45f8556
SHA256f4af552f111bc1c7d8b48699b9da255ce4edcc3d2a9122a26941a2e0644dcc09
SHA512e33296f482ecdcc1b7352c49d3a1b82b8b31550533ed65fec0b822430fd0396757b33121e68591b07aa9592034f0a7dce7b316f896c8e4bd312802203d9a988f
-
Filesize
128B
MD51a4bd91a5bb892684912659706e1e61c
SHA1470791cb18964759396930b83586e021aa916397
SHA2568c7e4bfd0a6d668da08b9b3717caddfb838bb8e87bdcbc1806b98420dce4ca98
SHA5123387f95b5913e97fa24b63424dfd6f3ed367cad49d9e0118ff4b1660d9071825f2d08ac1833d2725782723f95f744ccfdb546181133fa2eb6c3a22cf1f4ee337
-
Filesize
192B
MD54eabb6fc2695a5a43afa79f1a75a941d
SHA1677d4724956af0aec27396340a2da7a80ac59e54
SHA2565c639d8a1183d08acb1c0d4cb5579204f24885bc5b20c1a5fb72fb0314427ed9
SHA5128d31a75bbfb87a744c05db8f2205b5490770550a8e081f995bcb6be623a87a21675c021a9671f5f10598b771b0d9a6e4fb2108d50e8b0a70feda97038e0ce9e4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0ACAE7E-C5F0-4E0F-A17F-C303514FE9A8
Filesize170KB
MD51d1962a22fe10255bb9e6397368565f8
SHA12199f069555677667354b43a5ac02e910d52c321
SHA256e19c064913debf3d9656609cd728385c1e51191d61bcf23317fbd3f79fb77261
SHA51243e7d5167f422dafb31dc9df6bae59a155228aa6cac15186110b734330caccc2a10a7c0ddb30c9624f4c4526434334bd6d561c1c02f862fd973d2f7b22630a32
-
Filesize
321KB
MD55b4ea7676f0e3aa19f87eaf81cacfc69
SHA1a776b52f53b1002255d87b4ced9f0d385d4f17ed
SHA2567e04d3b29ddaa7b7480f081db4d4f3b881e5945b40cd9a7582986603f8ceadaf
SHA5120a5cbf228584dd5b31b8d640f498ca1003683c571c5f77963b56dc7de6de3e8f5b161781f6d8344e2029816da2909cab293161265eac390646420def640c612b
-
Filesize
322KB
MD5a205511afbea748b096ce39a40cd3648
SHA13284498daa3b5b9addc2cd946bb48b2cbd048282
SHA25652a5651762b084c966ec5b0e28123769942884e8e29003fe3992af0cc27080d5
SHA51218b1cceb69ca0993d831303b3efc14045be7ee1c8d4be5c89c7eb2b0c788075fb45f91b4ab5806a160dccfa35f61017b41d81ac9c3cb52cf85223545e06f3d92
-
Filesize
331KB
MD5299790eb4da891c0cad926473bdea5f7
SHA1dacbd07b42d91a20ba9bfcdee5cdd75ce15644da
SHA2566fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9
SHA5123ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be
-
Filesize
10KB
MD53d36ab00ecb8c608b99387694aa71bd4
SHA1a1747b683c4a581f2a1190d7c323a110826d75da
SHA256082aa267c3def8abba9f28137f7e8692516121a61468608afeab225c92f3cf48
SHA51250a341e123665c4619b8689bcaf20b122b2b5e25b8022983d2cb4531283e576d499ac1f818492c47cfa3b9cbef0ad02fa760abb2e1ba8db1f7618d0ce2db2b45
-
Filesize
24KB
MD533eea2792b9fa42f418d9d609f692007
SHA148c3916a14ef2d9609ec4d2887a337b973cf8753
SHA2568f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95
-
Filesize
8KB
MD5083b6ffd3ad6d6577f772a5ecb3ec394
SHA1c0934fd927c13b76086f274db55c29d96e74220c
SHA25671fe1f648000bb3af523f52cea6c68af959155d3b8db4cf8fbeb662a13289363
SHA51246db8502c99c10fee934f0dbb3648363305b9e8d73350820da654e4de4fbb06ea3ed94846898a64c0ff7b861196d99185040616199cdef115235b8e389e06702
-
Filesize
12KB
MD5a9c44255d0c25d26b7060069e8882135
SHA1a30c735f662612785565898f2aac5e59eac76d55
SHA256af539487ea047042252e40640ce9aa4b5d483fb37496633273c13b34909fa823
SHA512b41b81ba01ab1843be05c74bc8d564ce48c4b2e98c43969b62f66c12c1e17546c9dc1b093d6bf42da9f524dd53b1e74285152c095251966301740b8433640d11
-
Filesize
8KB
MD5153cafd95f478f0fb9cf93d3424dcda6
SHA179d3141d9d0de579cde4fde6ea8d5a8dfb937e35
SHA2563f1e50c4b4943b952b02871ed91489bf61c67adbf38ea29cd6a553ad4e45b45b
SHA512f03545976a6cb0174b65f8e7956795ea9385e8c50e11375e1bf7861dc6dcbb5caedadf51fcd4caf7cd921d73162b66ae56652ed2fca7433a087395a587861cf1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD56a62a1aba4399bfaa527af6434df8b2c
SHA1edf971332f4a455cf7f621ec1091eacf088ae40b
SHA25671dc75fa61d5590e509ee53024885f3202c21b45350c2a9f353892d0451b32da
SHA512750d55c0f376a42896a9d3056164b35b0500c984c27e7fe0e08caa62ef97e3af5eaae2d7f322e59929a944ae223cbf2b241480ea04f17f0bd712372f2e04df44
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5c5b5ef2a03a15da8ac71ec86a38e927a
SHA11852d311495e7024e22c25f6bc507616b78c5f92
SHA25632382781bd229aa141a31f88f26e5da08d6ce78b578be4a956ce3308f3f9147c
SHA512622a0c3779054d756f78a3c7b50c04a10a031cd9a5ad3817b70aa35555118e40f4c6cffe2436bb8bc5daa60153a9fe083db7e3627d3b1b1cf6dcdfde846b9fec
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD52ceb8694ef805c34ef3d89d5fbbcf44e
SHA1fc2044b96aae4d5bd5e40f8d31bc7b37167be9e7
SHA256305519c1296341b9125c5f405d672d0bf98bd2e61109b510bb3f3c30168f535c
SHA512a8ccfcfdffdd14821a691fb1049cb2231d5b3c85c8c403cc48ba77d09487f56868f8a9dfce8a3795be0f14ba8f717a3446ff6ef3b3d049283dbfae947f8db5ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5cf6be6773d2e9c2dbc8f03427d3deb72
SHA10886439dd249271fbf82dd050273368a2409c798
SHA25639d783ea8ef6298ac9f904df8aa5029c9175a69f2095d8a87ca4a2d5ef65c6e1
SHA51259d301782f61c9b116e8734b84866ee6b67ef0fb0952df2574f6c1433c86bceba2c1f2fd2ea10b5bb90b696874b6b43bd6a73a3b892cce328ab565568efd52e0