Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 12:14
Behavioral task
behavioral1
Sample
9a04baba69f0d82fad499232f0d15a6a_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9a04baba69f0d82fad499232f0d15a6a_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9a04baba69f0d82fad499232f0d15a6a_JaffaCakes118.doc
-
Size
242KB
-
MD5
9a04baba69f0d82fad499232f0d15a6a
-
SHA1
bfb701eba30b1491f3605f36f0eb0ba03223557d
-
SHA256
ed8657615571c88fdd8706bf2f5ca13368a7bcbca7c9ae6e9b052ff901ba97b9
-
SHA512
8ec67f6652ef91d2fb502b80907d778f7b950ef36c5c9985aa8f19f6ab359e157bd682ea1647d742c66b8666ab9d694ca83a5ad91a3c76f883d326c20c0e5211
-
SSDEEP
3072:bOw0pklIiuq73/IKBdsO8dSWhd4Jl9mhY:bO5pklIo73wAqUW34Jl9mhY
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1984 WINWORD.EXE 1984 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3996 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1984 WINWORD.EXE 1984 WINWORD.EXE 1984 WINWORD.EXE 1984 WINWORD.EXE 1984 WINWORD.EXE 1984 WINWORD.EXE 1984 WINWORD.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9a04baba69f0d82fad499232f0d15a6a_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1984
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD551905ddc0460ebee130ce05d513de376
SHA1009d9dc86413404e8487b268b05eb28447948b8f
SHA256e061ba1effc0b17cc68218678567f150b9e48e08dbf33943cdaa93535d59994f
SHA512beb6081cea245fc47d72fdd92824ef0893a6f1e099c2848b4c8d3fd71ad274fc18b040b839a9cee9646154761a072af75ca47a825ea2e647c52aa0f948cc93f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD52fe4b87f8458dbbbd341732d7eb4e9b2
SHA11d9f0485fa2088bb92c2778915cc351e85075cf5
SHA256a69f743d79ebbd0a48d22a7d7b3540cc7b0ef5851d50e649ee4f30a2646f5a81
SHA512cad3abb147315d3c5cb24aabc436f714110c4d7676ca2d85aedee8d3ac5444e0c96615f66a612741f766a4b109a7819f9d0fedcb4c7d1b414f886f81354d8c68
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A36ACFF8-D6AA-4577-B43E-D2246438249E
Filesize170KB
MD5b6b7672d3378e7e67212bd00cdecd697
SHA19347f8faa1346ab55616db0a82e9da5eac07537e
SHA2565ad11493c2d996c20efec9078058b8fbc8530d11757c1a5e3ed589c0de3abacf
SHA512a60ebf9507938c87cf043ff3f828a416aebeabe7999d18a96a3eef37a09a04f44efb3a8f44c958bdd393d5194d557366ba2f0496c6dcdffef15970c7d513803f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5021a8a0421d4c08d322d013879d671c3
SHA15d3ed42c9ed81c46b558907e6f44481e6c80280d
SHA2566f59f00191863c6046f1321d5754a37be8e970f20e9c46ca7b4cd96d11801f6b
SHA51203e19b4781b3537b009398e1ae18ee8bbef75b278d8e7d7210aa8cf877fcc392cae80693271940053bf04bd8b94da49cb48259b58cb90dd5317caa5c5a37fe0d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5923c7cfd440dbf120e80d30c0dc09161
SHA19ba9d3fa6b6a7215e7e7f931e0283ed459a79d57
SHA2562967af2f45db53b2b01625ea1fe282743cd67fe603feca038595ffa9910c6fb4
SHA5124c62b56c6bb5fd21bdc3e6846d7681ab04df78efec428e81f89723cd37471692d1adbd02f29e0fd3939ef655539433680468df22ee63b2dcf557ddfef6a6f261
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD500b1aa33e2eec80145e71f22f1eaa68e
SHA12d1e8150c75b295e959042cdf131dca1c7e9f6ae
SHA2562171f4451d49367b5ec6165f4d8419be068f3b4fd7c4d25cf28e08e902a669ca
SHA5121cf1804224eaadf0a945ab5c9123e567f1b1bed6826ba9e06519a8f03074b93ffa53dedda409b22cd12995a0d22e41faebf0e8f4178ffe62d96de9f86aa6bce6