Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 18:38
Behavioral task
behavioral1
Sample
9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc
-
Size
235KB
-
MD5
9b2c4bb79d5f2601d627f4157d0f58ff
-
SHA1
f52b8b57b92c899973b4b3ee1c88ce792b55e587
-
SHA256
503dc4cb42caf34593bb5c25ed0b6eb44a6487f98be0866e14db37f8df050cee
-
SHA512
535d9b2c78654bc52b7c79e169c3ca4c96a3e689f0b9fbca3f5a3e920709746d2596db61707b1ed1f758a662be8161687b353d943efcafce5d0285d9627158db
-
SSDEEP
3072:LUwxv5OsmqrmrAKHIedS9DKJlzoQzVT2i:LUgv5O4rmECU92vzoQhyi
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 1752 WINWORD.EXE 1752 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 1100 EXCEL.EXE Token: SeAuditPrivilege 1752 EXCEL.EXE Token: SeAuditPrivilege 868 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1100 EXCEL.EXE 1100 EXCEL.EXE 1100 EXCEL.EXE 1100 EXCEL.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 1752 EXCEL.EXE 1752 EXCEL.EXE 1752 EXCEL.EXE 1752 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE 868 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1752
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:640
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1752
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD551905ddc0460ebee130ce05d513de376
SHA1009d9dc86413404e8487b268b05eb28447948b8f
SHA256e061ba1effc0b17cc68218678567f150b9e48e08dbf33943cdaa93535d59994f
SHA512beb6081cea245fc47d72fdd92824ef0893a6f1e099c2848b4c8d3fd71ad274fc18b040b839a9cee9646154761a072af75ca47a825ea2e647c52aa0f948cc93f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5e8106251d8b6cc98ca0223d1dd297268
SHA1ab073e620a4c3c4d0e1d839033263fc0636fdc03
SHA2568bf584d2aac834e22dda2dc92d8586a857b980f450120ebfd81dcaab494e642a
SHA51290dcec50e4e2fb3d235373f2a7874f340f7b8b79647ef436f792d5e5c04baba40a438f4331d59e03cef62f55665f5a9a049c2b9bcd8d2270167e68c9aa52536f
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5aaa41ff989a2c80d5bdf43a7f1e35fcb
SHA1ac7fb49c17b108a65a35bbfb6a9f3b54527fa1e3
SHA256ff9e7c98f3762ab05df630fff5c8d4800083db417f0d40d97b239c4f2345658b
SHA5120d7eac8d56f20a05598c6900fbd89b2928805b31c43b76edc6115f2d231babf95a964a2f74ca9a0b388f031e82972d5f4f092838621d930fff6f096d7ef22268
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\483F61B7-9E5E-43BB-A4B9-308131F5E417
Filesize170KB
MD576b99c1644f9f6ce9efe464f1eda13c5
SHA14deac1fc0dce5cff7ebaa9fd4a809f3e2579b619
SHA2563f1232fab7c929e964d7b6ea3ab69de2cba0a00fe0ff40bef615d4de29482c74
SHA512dc08f84bdbf71d4eff2b51e872ef7eab71f906b042d8bfeaa907d738a8c8f5ce26e1378c0cf273291cb6f0d4976e18b5c38c78b3cf2698ec335f97b12e944a1b
-
Filesize
320KB
MD51860cdd48aea9511bbd598c3d6e80ec2
SHA14d80fb389297d1b42330fc9cc043890b7de843ef
SHA256c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA51264718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5
-
Filesize
331KB
MD52d72c7fd107986dff9d09acdd4f8255f
SHA1f60da83ed901faee7352589e46ae5a361a33af2a
SHA2562bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a
SHA512063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93
-
Filesize
11KB
MD55a9c28403db6b04912978049280d26fb
SHA1f18900841e55ec1c41a7cbd4924adb216601e7f2
SHA2564e444e83daba1dc152854106d9b90aabc0b53091a9b6d6c915b14bba0614ad45
SHA5126af8078da71563e90af66ee77ebc303b54fbf2a7c9e12a72139e05a16111520846abfd355e6e78e78255dd949a0ccebbbf6902493abb4c68f7bca9f6588da877
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
4KB
MD570984c9f3971116f00f547429c71953a
SHA10b529e23df2b58107e5b5450201ed836be71af16
SHA2560e96207e61db512f37c997cbe227cc484e089dbae41f81aa78c048ade0878ed4
SHA51224d23bb929bd2aafde0c12982792fa3a24011de347aeba7a8fa02ceaa57ff8a30dea0101e7cc1d6af73d39ee22f301a2593116a6cad85a98edefb11cf19cb129
-
Filesize
8KB
MD53a8c7b64df5d6f7e7ad1a7c27deb718d
SHA1905ef917e7808e5e14b0601b87d63cf1e33b37f2
SHA256e13ca34742aebfe6cbab62129adb966cd6c906f0d539e506f6743ae920309ac0
SHA512178552a2778eacf2db070258bf7423b27f8de8a8b5a3ed42b017f2710928da48d75cdec90740370631805dee0f39239828f66e48fec410342dbe692c7ae4913f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5281e41d048fc3d7129ff6f066948c789
SHA13c08ed95f2bdeda7adb2a742db9eed69d9cb1554
SHA2562ec71f38266e6a958a1b14d9897c90cab23402281c02aaa9415eac898f423608
SHA5120ccd272e038dfac2cdb6546d84211d909b4106e2bec477791c6bee8b85acffd9591333c7ef7701d8f589a5ce3ae401a22b70d8e86773a67fbc9a07cf6d560ab8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD52efb1bb1547971ab546be186a012317c
SHA16f94f8cec2f3e111493f3f44edf07cd99705264e
SHA2568d8309d7aff1f350092384a912f9f4b2fce6ed727c69fd9892e5ec741a6650a2
SHA51206e5cea6ddeca74fc82e0c71f9e1360f4a9e162ce7b4a406f1e58ba7dc0a4a5cc3a8f7c78d8fd76f608151e441c0b854e248791e4b52755e2bda1446f235bdd9
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
148KB
MD5993d390f3225644761a9718909a18cf5
SHA1d41b30ccd7472f770edc7cd1431465bbd698b607
SHA2565513730692cd95af25af87870d93558e04d4e1f3a43c4bed1fb96c6b4e0bd226
SHA512ad08bf2a4fc348b70c4ac7270d0e84141794a712d22605566073b47cb0cf9d0fd970e058c5a2b0e65e5c2b1a36d72d372c40c85a56f92df33d82fa3802c3510f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5d0984f7953b86ba9939910feacd38214
SHA105ed78a1594ac514036dc75e2826848b27abca31
SHA256d2ead010c732bb198119b6ceba2458ded462f3b6d05d67f5c099965ba29d0197
SHA5124e393d3e35925f91ec807efd354752fa76ff961ed931e49cbf2054c09ac139dc29fb2cab08f89a8ecc0ac2f3de9890788b012efd0f1e08b0d85d58d171508156