Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 05:45
Behavioral task
behavioral1
Sample
99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc
-
Size
242KB
-
MD5
99182162ec6fa6c4752150d37e3f8a7b
-
SHA1
34443a18c9ed12b81f2d83c410d9b20135194c6e
-
SHA256
dc200eaa002ca7c77b6a41874ed1905ab31095adab67e438dc0ba94810d9852d
-
SHA512
c66823a06666c55b609b2e5a54b6b91d429084e10dc50f10a777c94f2cc9f84b71e085d7fe36fa16cbd654534c11a8c51bb6472be39f3b13d637d06c79119bcf
-
SSDEEP
1536:Eterikw0HJzwlIiuq73/IKBPdbs0gj5HrTPjyaK/dRYt2tXOrBY81t7jReq5Lqc3:EOw0pklIiuq73/IKBds72dSOKb78WLOG
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5052 WINWORD.EXE 5052 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 5036 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 5052 WINWORD.EXE 5052 WINWORD.EXE 5052 WINWORD.EXE 5052 WINWORD.EXE 5052 WINWORD.EXE 5052 WINWORD.EXE 5052 WINWORD.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5052
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD576cc24a11f49e96f41002c2356a77a48
SHA13068840a3364f8034b6ad3ca849a9215e4a9546a
SHA256df50058d3ec403b30ace94fb0c61ae485fd1c99c3b4726a1affab76d9eebe7cb
SHA512d6899eec84fd4f24cfd228786bcfa9a9cbdf9505b453c80c75b24599ca3ea91c203465ac14bd46731a7a1cc8664c83ab56f0f84116d4d6c1af4cbfb0945cbde9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5cbad01eb3378df56669b29fd64ba031b
SHA1e05bafe857676b9a71fbf0edaf968ab4a81d8497
SHA25629b244dc834ef2818847be487c082f8117354d474e31014125b7dc30367ac281
SHA51254d0fa7806e5e3e5a57b43032a3e9734226b4f8bbd88348bbc7a2441e6830fb8702d1371dbfe9773e9cdb00348fe338c0c77cfb4e703ce5df587b8ad2b1b15ab
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\55A60111-086E-467A-8E5A-CEA7711A8C84
Filesize170KB
MD51b9c9af344e0048c5d15a4ff9024afd4
SHA197fc4f690e052dc9511b119e1c58e1a0b00fc70b
SHA2564bb1c49d34dbb8a36a318ee66bf25035010fe19f8589bd0986786e27284114b5
SHA512bfb2384115c319c8b0dc26002989744a9d6a9499b831b8da73324ec53c4e5ea5bc2ecd46b3928b19d7d427326ae32b7e144dbcc62c956bae3474890a24dfb0a2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5e8621b5417489f6ac3996479da0579f3
SHA19ac5425a6bbaddbc8b8f9facaad37bcc7b6d69b4
SHA2569e4c3b5a366d416bda16b63363b7ba113fd59a0755e512c217b93b2368918778
SHA512ec0675b8ff210c8af2e9543fcf08d5c421ac1e03690087ca16a7932124bbce4f004ad2fb9fb4cf8b485c556c1ad90621f509bbfd965608f86479ee3b10e3b498
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD53147f9af49db556c4bbc544b2a81f825
SHA19279d333dcb5a37a3c639ae5a443016fa8859ffd
SHA2568862e89ea6c13e6271cd9c0aaa47e6b8f81df26752ce056d6d1548c2cba259b3
SHA512755e153442830aba996f00a8d2b9d45041be814c1558a5ce24337b63d3d2edecb9154f6bc23013805780c418ad417d431ccd2cfe24be3a2699beaebf98ed8847
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57f0953ab1be9e1089ed3214a3ca39c47
SHA18b20223eedf5e72768ddbb1d7d37e69ad7d18b63
SHA2566ebb6ad02775e7704fd4768cf0efef16ca09318e45d63554775a405ce77b4c5c
SHA51204fa711c58bed7d472996574b27de161173a54ab6fbe3bfea79fefaee6ee4d6c4da62b6b4a76aa4aab6e32a65014635d1a261bffbc3f3f2f520cd4cbc61c69a4