Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 19:56
Behavioral task
behavioral1
Sample
9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc
-
Size
242KB
-
MD5
9fb8f190cf9a09ae7cd816b57d855a81
-
SHA1
204a1e4a4aecd9c1ae6049ef8e3321a927d4b818
-
SHA256
f0fed1ff71be6ad4d5043edcffddeb395e33ab65a9a7bef091179e40ec271c63
-
SHA512
e3705a50747577abdfab20c10deef0defea010bce65abd945fbeeda89e5396c48cc13ffee544b2aa2e98209a269670270c9d4fceac81acde0d76517ff3054c8a
-
SSDEEP
3072:hvw9HXPJguq73/IKBWy4wdS00nUl+8KRiSL31:hvKHXPJi73wALU003ii
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4596 WINWORD.EXE 4596 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1964 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 1964 EXCEL.EXE 1964 EXCEL.EXE 1964 EXCEL.EXE 1964 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4596
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5f5620c92cbdc293c3ae3aae31aef598b
SHA11f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA5126009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5b1cbe6732a6dc3181521dbec8ee78c2c
SHA1d23ccf407dfadee8cd76f02e425ee61c306dd227
SHA2566f39be34e4fbcd1b959bb12638709d14959a4dc63d4decf33e92b7c7b182e6c0
SHA51278ef88895400f1f2deea87cd19922c0fa0eb8f8abc0e4c28b0ca963a1b3ce04adc6c6a993a32f6596fc3eeff9ec8ec0078d7f5384166717f7cc8c3b86a3e511f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6AB8CDF3-2A72-4C28-AB73-2A9533341A62
Filesize170KB
MD54f6c3dc60df7b551e77b8ff665fd1aeb
SHA1bb2a0135fe38095985421bbb1792445427b9303b
SHA2567f5b79952dbc48dcda01719a6deedea797a246470ee8c2b24747c235639ce72b
SHA5121f5630587cf3b1219ee6bc8264cdbc0311aa971cf508b901c9f67eecdbe5632b7bfce928d29beb3904c38bdb1e3f65edc6c52c2fa5bd142f7f5223452bd9837f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD575b2929397f0f4def985f8be4fa55962
SHA184cc800536c591fe142d54545ff9d7cec503d00b
SHA256c2e82e3a747527a57a9023effbcb06d49be44b7e01cac2799e67337004c49db2
SHA5122497f161d0c063661075a39b877c4a900f92b62b5b3baec169f7e2fdeb763c7238d6f9dae4fbb45d9b5c64a6004db7f5657bcf0bfa766d15bd64d726f4c5e232
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD56fee9f5c0f8d5c82fb181f83dcb547a1
SHA17222d8f1d4fd1b503ed76b50f1ea5e93e158e63c
SHA256230250d1a2cd536111f1acecb9d0c86f6c8b6bb4798ca87a9e34cbc6e7b08450
SHA51250c1796f8523147bd0de7115b0d6336970197b4b7fa6c3d00fc88ef354b1a9513d1973d43ee8859ed1e5281051403b6ad2126eb9b04b49897d189b0b804adfe6
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD59d08bf17171ea019cb5a405698b43aed
SHA1e61e6dac5d7aa7fae8de310f539f497340b2a1f5
SHA2565696e614fcebf26976b69ee7d3f8905330c54781e75f1434a9251fedd10adf86
SHA51272694d389549146eeb40816e8c032e135c4594c324b982e526f3fa2d681090018ceb7026a47d277404683f25bb6ebf3a6ff5b41075dfeff879a55486953dc575