Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 21:09
Behavioral task
behavioral1
Sample
9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc
-
Size
241KB
-
MD5
9b9efee36f7392e3f79958d0769e8e98
-
SHA1
7cc675d528dbe8d128d7c67c5490d097e4f448ba
-
SHA256
b099ef613e5c00e6b301e1bf60ac4eeece9aa7fade00366a2cb5eee903304934
-
SHA512
9181d878c1d84177407d92a23bb594db4b406bef47f34667fc2a1c8d21fc2ddc8cf836f81bd1b878714a327f936f3c2a7967c498e059e623962c1a76678c74b2
-
SSDEEP
3072:qvw9HXPJguq73/IKBWyhAdSioQP5GAroV0:qvKHXPJi73wAQUT+
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1524 WINWORD.EXE 1524 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4800 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 1524 WINWORD.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD551905ddc0460ebee130ce05d513de376
SHA1009d9dc86413404e8487b268b05eb28447948b8f
SHA256e061ba1effc0b17cc68218678567f150b9e48e08dbf33943cdaa93535d59994f
SHA512beb6081cea245fc47d72fdd92824ef0893a6f1e099c2848b4c8d3fd71ad274fc18b040b839a9cee9646154761a072af75ca47a825ea2e647c52aa0f948cc93f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5e738dec61644a3db10596bc7a38b1f63
SHA1f44103805b388692cde3365631143b261a5a7ea4
SHA256abf9229bbe5f563865c95ea1e455ea0013d9bf6d9444f65e8439c7982c6a0361
SHA5128dad23b8b065455fc495db108af73d205d418b31b6e1115c0ad4bebddd1b3ec8ba5027c69e64f3a71f73eb6bf70e1bc7fd1703e07c8f14763dbae6a818abf5ac
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0259B824-C8B2-49CB-B906-7750EB6D3656
Filesize170KB
MD59234efd4e4438f384205e00af484660b
SHA17b50fd731148773dc18accbc85301ffe7a730048
SHA256a83474b679b5c2f0812a1ce10d64fbfc764f487e3d2d772a81e4296b026e848e
SHA512739ee4e5be31045cfa6b79ce322d780bccd758b6abd610d06d7c00e1ae05bea4816017f06039700278ee0b5c910c24f9758a5d4dafdc62816febb12439afa140
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5dfbb5e5ea66fc9c953099b2c3fc2624a
SHA1d87b7756562b4fff9743e777b1fdb28596509f1a
SHA2564b8f7e0bfafd5bd42cf10f67708ecc39fe9e2bca303968cc9e8c7f8ea9892991
SHA5125c8f8822889f564bbcee7b5598966a2e2796b1c8eef786e8c68655b5a46a0258ab666e907f70ecaf5d4b910699ba71f48bbbbc8e0c663c79e03b696746a90cf5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5ff9ef464ff3a8e32f687dad5397cfc50
SHA1405631990a4f561dbca77dd1148c58469e8f6519
SHA256f877d59dba5304992c9e9b33dfc90dafda7b219c51c61558d079b0a0f0758a37
SHA5123ca2dd989f4b117928adaaabfbedff34b7d58f6f1eb6b4b5775860b6dcfb154da523b197c0020a4b065fc1e25719f773822658ccfcab1ee74e4db8f440fab9fa
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5af28841633e0be668a5304192fc3f352
SHA1a085c08fb3671833bccb4668aeedd3b56081044e
SHA2566e07900b852beed17e14741aa76268c22896e8df366a92a5bfd05495e807e0d7
SHA51203f6ae14f8ad7a9e3719d7e9261fa3cf37ea31ee892ae62070b4f5a888388fd12941ba00dac0284d1528bc5f3667b89e4adf8f3e07e0d2f01d96e67e2588625d