Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 14:12
Behavioral task
behavioral1
Sample
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
-
Size
242KB
-
MD5
9eae6b73a0f8a48dc55cc29f0a9cac8c
-
SHA1
a6c65371fed53b19e6de8cc542e11b01fe5e5672
-
SHA256
96113b3468f977ecf631bc456b008abbdb8c14a2f934de538d00852314f71d2a
-
SHA512
61db55ea6d15b2dd0ac85fd7524e25aacd527f7f5083979c775eb9490fb65b9305d783706621ee258365096fa90fc2bf780c47f84c197100ed3490a367d9730b
-
SSDEEP
3072:rOw0pklIiuq73/IKBds+gdSGtj2AG0lId0vgGWK8M:rO5pklIo73wA6UGtj2A7xv38M
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4876 WINWORD.EXE 4876 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3200 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4876 WINWORD.EXE 4876 WINWORD.EXE 4876 WINWORD.EXE 4876 WINWORD.EXE 4876 WINWORD.EXE 4876 WINWORD.EXE 4876 WINWORD.EXE 3200 EXCEL.EXE 3200 EXCEL.EXE 3200 EXCEL.EXE 3200 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4876
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0A1242CB-4663-4145-BDB3-C6D74201DBA9
Filesize170KB
MD55dcf8ad79233094540c2731e431ef041
SHA19f24a9bd796824db2ce812116e27d8ca6b294267
SHA256a6782f4242d34b81c5bba6d3a657422b870c3f9dfa4810b9662ec770e92ee20c
SHA512da0640567a5a3e7f5a420777c5e0850c450a73d58130515368a806043bd04dcf4cb064af39ead4049db6bd6ac797ae0d6431d4dc6e729987b260cff0a847e89f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD52c42f696a638bfeeb447f4b19693c97e
SHA14516956aa0eabe0c373d9fefa7dca542319824af
SHA2562eb2ed572c7b9fec3906e5e232bcf59aa19fdecbdcc8ced0adf49e8c18acf9ad
SHA512c26986328b93712840f3aa89a3769e2fb4d46aa410e25fa0d09b66ac905e49adf88309f3615034a4582a4c35a2d19019856dec86a369dd46c6de8af77198d662
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD57f6e8bf2b32705e216552d47dce82a6e
SHA133504618dfc6876e0aa1290a6c348e8e9738e113
SHA2568e0feb9b9b1485ac255095dfacb0cf25aba1a2dca51514abe09d44567b38470e
SHA51270c5cd59cf01480ecdb1b466c16087af9fd91f34cbb39edbbc44259f5156aa8e66501c3b99d2298c2ab1d769d60bee25fe2e8f694878c9fffe390142795b4c23
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f