Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 11:43
Behavioral task
behavioral1
Sample
9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc
-
Size
204KB
-
MD5
9e39301bebcce3f25a47854bfa890673
-
SHA1
63191238b7992b09d30a32cfb66883fbcbb9ed3b
-
SHA256
21e1ef60214dc04018b919609502116286303b4374dc3ac5966aa923fac9616c
-
SHA512
f6a7331a375346ae6fbc654c3afab6e190587747c60db1c35825d6d8f2c54bf9d4796ce47c4303d8399547265db9210b8a07859d754713afc0426ec0242f872a
-
SSDEEP
1536:MtPrT8wrLT0NeXxz1DweKHrTPwya5J8b6mKytDTtldNO8wIj:M2w3keXxz1DfiylADTNNqa
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3632 WINWORD.EXE 3632 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 496 EXCEL.EXE Token: SeAuditPrivilege 1788 EXCEL.EXE Token: SeAuditPrivilege 468 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 3632 WINWORD.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 448 WINWORD.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3632
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:496
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:448
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1788
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f5620c92cbdc293c3ae3aae31aef598b
SHA11f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA5126009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD57b00aadb86c7ca6a9e2e13afc03f4e12
SHA1328dee04af21b9ae30166582430df63998cadbfd
SHA256305aa8c67c4037f33832b6c0fc8f6c5be0bc480362753814692067bef587fd51
SHA512ef8ca924481ad0af45d58275d3017b134101164ee931fbc411e07c929d4cbb46a2d95cbec8a2fc3f168a079c9a7a8ea45526cc7647cecb5e531c6e47a8727381
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD58867e02c27e1adfd64dbd9cd1d8e6d76
SHA10ed191d90935a08a5256b20f0c8cc9c3ddfd0516
SHA256d761082012e5c49153de68c25b4bc5bd10c9623cf4d11b484840184fe2cbcb42
SHA512604c538714683f11ec7e01a92a98c7c275f7fc69a68d2038180a6e3ea834b08d7b4e2df29dfe78aaa06802a2f8e81b9db935d7c510cc74ce608a8efc38b1a0a1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC4536BD-05AF-4E73-B030-BB4792332601
Filesize170KB
MD578c89da322724fb7b49bc96189eb06be
SHA1a87ab0e399dc9e9b0160ba7eea430c2d6b8ce38d
SHA256770cb908b96daaff3ee26f0d28bcb3d9b3d51be40b729cf4d57e7a01853b09bf
SHA512aedd7ee1efa397b7c194f20cb94df0eed759475ad84aa4af02f6be10e0a25116da8e7b4edba87761f61829202d907668cb18e417b8457d73285e61523e045ecf
-
Filesize
320KB
MD51860cdd48aea9511bbd598c3d6e80ec2
SHA14d80fb389297d1b42330fc9cc043890b7de843ef
SHA256c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA51264718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5
-
Filesize
331KB
MD52d72c7fd107986dff9d09acdd4f8255f
SHA1f60da83ed901faee7352589e46ae5a361a33af2a
SHA2562bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a
SHA512063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93
-
Filesize
11KB
MD50d34527d1c8f3c4c04409402ec1018e5
SHA1e3adaed47bcc035fc26e77def57212afd583a121
SHA256bbcf67c7ad661df89571263ab621be191682a861ddb3322a426f70b7277487aa
SHA512f79b5d1c173498eaf5064caf60fdb862f9b0a3bb384bb5778ed104398a94974925f8f3e09483d48508dcd37f0d892c43db11729eacdbedcff38b1a8cf6da273f
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
24KB
MD533eea2792b9fa42f418d9d609f692007
SHA148c3916a14ef2d9609ec4d2887a337b973cf8753
SHA2568f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95
-
Filesize
8KB
MD5ccfc033500e2871900fc3f161511c809
SHA1e01008d83244c60570ded6598d6c989be46f622a
SHA2568183d0791fc27b5515c4b5411fd6a804ba153ec40001958a7968f31778e314b5
SHA512af43aa9236949cace4f6bd6b565351cbc86a7cae903ac658990992aabf1a2433c6293e7f94197da0853e7bf1f7dc56acd1dc6ab120e799bc3f50d8ad43b5ae74
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5829b9babbdda5b73334a65296724fe6d
SHA1f7979def5dbbf1a0e07eb2186e1823cabc2ff8f4
SHA256004d3465ff2fc39a15be8dd108f6ac29465309be5ceee396c2703ad42bef8b40
SHA512a1f98b251aaec108c6b74139e2056b7a64c698e9687cc045ebabc4eeac0a1ac8884ff4b93601e09c3a26c183906e3336b66fae3156d1cb27196d55b0173d863b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5c323eb098a0b5498ccc4b1489ecaccc4
SHA192f5c6680b0bf94b43e9a1f0fda5da533f71f698
SHA2563b253c59cd641d1f18b2c8c0e5d3e58e41ef9d1afcf729265de25050776cb518
SHA51205f81339f76cdd9939036206198fb99ee9edea5c16a09fcd6755f59848a7b9a51642838d568fd582197a6375e7fcb1509d6b4061f246241297ae6b3556c86da0
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
148KB
MD59048efb4c96728b0bcfb5b2e2b52dd76
SHA11d0c697ca716bd4850f27def14d4a8855e0e4d6f
SHA256662f74f7ab09084e621106667d58a2a846e4857efe76bfef057237bdce1bbf1d
SHA5127d6509c12d08dfde124ff429696368fc24da736a3032f64be3eb9659a2c0b9360557913af51b12a6df962f219fd9eeec12ab21a236f8f8d2ff376319e00b1bd6
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
12B
MD5f6f801e5b0502f5e803ed826dd37ae44
SHA1273e87aa518397186653443c0c3e81d574361708
SHA256e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1
SHA5128fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD52fff921ae80f612ce31028335997a101
SHA1c7a4388d4d6fb2b278bce7d7cce5f59ab8f62117
SHA256e5aea2d59eb3c1ca0854d8db121ecc9a192e1ec4812aa1d018ad46f47a3a5024
SHA512eb759161eb5a99cdf7845e416431463dab12cc5c22c5268d78e36eded374d1ee178a18512020e2ee8c45a5465f97741dfcb7daa6b545d01dd12ade2ef24739ba