Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 16:35
Behavioral task
behavioral1
Sample
9f22824d8ae8bef36a655835e0d88bff_JaffaCakes118.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9f22824d8ae8bef36a655835e0d88bff_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
9f22824d8ae8bef36a655835e0d88bff_JaffaCakes118.xls
-
Size
24KB
-
MD5
9f22824d8ae8bef36a655835e0d88bff
-
SHA1
696e2ad35bc459e9751a35c9d60826ac8cda71b3
-
SHA256
06f81bfdf847b3ac7bd86b12d5ccdba75190eb87766e735eb114857e2c7a7d11
-
SHA512
57cbc8a0a44c2e241b4f7cebe265c5db13e0ae96fac966217490854a41a1a541a9ab795d35598eaed26305b33af8c67901eafb4a500286eb4f3968b0215198cf
-
SSDEEP
192:8DKkFfak/M/+//cfY1YwY9Klzn06yyC9/0A/iNFqkZgtnoZWTP29E22f0wQfiFfZ:yl10mnambvWi4ijqggloZaqE27w
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x000a0000000234d3-74.dat office_macro_on_action -
Deletes itself 1 IoCs
pid Process 3952 EXCEL.EXE -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Root\Office16\Library\Analysis\97B75E00 EXCEL.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\Library\Analysis\rom.xla EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\08B75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3952 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9f22824d8ae8bef36a655835e0d88bff_JaffaCakes118.xls"1⤵
- Deletes itself
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5de8db0092f33f4739bd046e40232a1d6
SHA16ec51d45270cd716644e2c5a273cf36c15decca5
SHA25631b5d627a6773ab2055ae01bac92f45d916353bc1e9d81f1d47f6ddad72062a3
SHA512d2b7036468a342b28fa60ad888e7e437aaddf359f54c0e3b1cf5a5651c57ca06b84a9bf038cf4ac61a7279ff93175c4e254df49d4add765b1a1dc666983a8bf0
-
Filesize
371B
MD52742b4a39934d0b4e60ae3ae67e5443d
SHA17ee5724aba8686de504d696467aa9833951d009b
SHA256b6681cc43030c007c878c57c4d33cfa693aa409127ef89ff55a5854925663065
SHA512699516a8ebb0b3c0043bce078d6d7c86cc64e64964396f24f94b6fb065db9f66ba48eeae862ccbe77eac3519e0f64d8b9ac38605a53388c2f4c956b2b880da82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD5a4fdceac3a205f05cd7298a6a162d2d0
SHA1b5ec748f1e8e05e8bb75702e8b53d5215aa2bd0c
SHA256090a9ec9f4b834b5e76c3a12ea81e5e528e91a36c2454f5fef6c5a58e869e5eb
SHA5124a66fce9a17e2c7bc77fb2d9ad584ef4faa573665502a080fd8b521552f3c3b85e69df5b7d1eaf0634c52e58499e1168d52a8a022fb4a399bb40759f31102381