Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 02:15
Behavioral task
behavioral1
Sample
9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc
-
Size
241KB
-
MD5
9c9013e611ebbbbdddaa4e0e01494262
-
SHA1
4f9a2643c7b3db7bfb47c955f83654cdbd35da79
-
SHA256
68c6883719fdb97cee4036fedfd965d88a683c1af9597b51a008180d2361f15d
-
SHA512
dd60b0554b95aaa7d5ca619af8e1a356a97e9a0505e9cd0ac384bc147861878ebbf35d8e4a96727554c1885ce96fbb46c6bc76ddafb2878d93b471fe491eccbd
-
SSDEEP
3072:gvw9HXPJguq73/IKBWyuMdSQHgJLrL2h2hrtc:gvKHXPJi73wA9UpJLX2IhS
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3588 WINWORD.EXE 3588 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3976 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3976 EXCEL.EXE 3976 EXCEL.EXE 3976 EXCEL.EXE 3976 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3588
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F4C766D1-1FF9-431E-803E-6E5EC8F05F75
Filesize170KB
MD5a1a3a56678b2ec0c1a8d00e0fed5c6e7
SHA175da0f957524c52a8c6b0c06b84eafc0cca34fd3
SHA256b7a415a03c8d7dc5874348cd76af779039785526c3c8d8af94d0b1a5c0f01aa3
SHA512f80b537a62f5a01b4e2f35770c2d2e0b6259e19ffb18b5a22602c3d738e0658dc0bb64f9bff8b12520bee8da1700f1e1339bdf5f9785d5f9a031b76b4998ee0a
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD53d819c947af1daf23706a1f2126d3200
SHA1bb6ffd4f6b94c2c98da7346dcaa400ba8a8711c1
SHA2564ede20a15c20821b5ee6c7580400cfd717b733149f99c5e0f0e5498284e59505
SHA5126bba33505bedb2b55d9a7d901095ebc8367ca72a15ab2e87c1c3e8ff1bca5d6a63cd86669463d33c88c6ca71f8cd97e39ea2a7697ecc06d9db8760370500d77c
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5149ae3681f66ba19908501ba07177f59
SHA17177ee3a509c9a51450c78c360db6a39888eebc8
SHA256cb8bfc8f3d6a0a2993c26ffeca3b0618c36c64b7d77fffad359993d017ffcdbb
SHA512503523d5a4680dd9b08eddb55fccdee459d96961b13521f8114166679ec881ce995fa91a554aeb7dbb2541e5faade12904dc9649c95a07d0d6f2e300f2616428
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD505354f031baeddb5d0596cac03b0ba2c
SHA15314f844cf6a31aad7948d00fa4d54f7f499db68
SHA256b381c9cca2c016711c3d3a910bd61cfd7b6e2133d86c7004b9c547fdecf80692
SHA51262bd8a3c3d1771ecfbf1b733141b00c37ac5070215abf2fd35ad5056435b80bbfa2ed5d91cf6b2fa3236d234d0652c6b1bc5fb8575e9978c735ad2973f5ee94d