Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
db4d30f4161223a2724bc36af1178057_JaffaCakes118.rtf
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
db4d30f4161223a2724bc36af1178057_JaffaCakes118.rtf
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
db4d30f4161223a2724bc36af1178057_JaffaCakes118.rtf
-
Size
112KB
-
MD5
db4d30f4161223a2724bc36af1178057
-
SHA1
aa7e31fdef83e8c7044794023786d85600e603c9
-
SHA256
94ee80dd4569d627da5c0af97a3668827495df37af8e6c4d46bb8729795da30c
-
SHA512
f0f1e9e68484e287debe62e8de58b0450e8c8bf9323570bf313308bcf9c8d4e52a271738c86fa1fb365f8d81ea2ad0a4ac40b2b8a8444e21c9a26f1f7a5e5531
-
SSDEEP
1536:qsqFf1kZ/WkorZX5wQ+H6U9f3Jqe95zbNf1kZ/WkorZX5wQ+H6UI:qVFKe/dp819fT95nNKe/dp81I
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1620 1060 taskmgr.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1060 WINWORD.EXE 1060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1620 taskmgr.exe Token: SeSystemProfilePrivilege 1620 taskmgr.exe Token: SeCreateGlobalPrivilege 1620 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe 1620 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1620 1060 WINWORD.EXE 98 PID 1060 wrote to memory of 1620 1060 WINWORD.EXE 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\db4d30f4161223a2724bc36af1178057_JaffaCakes118.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Process spawned unexpected child process
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B8B83267-EE4B-4807-B7EA-4DC736343358
Filesize170KB
MD511b96097fd4b24f24e1f6f27e0eeeb6b
SHA11a99b9b6bb760ed82b3c98adf723aefda3e4924e
SHA2561a3eb63bb80ba6980a881802f1bb44f39ff66604dc0500314ad4e5c9610169d6
SHA512912d8df3b619d0a670f093c1145268071add4e42628395dceb299458e7141d1134aa3c69f4995200acbc41e7264024025e6fa4920523f2f0d105d524d7f77b15
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD59e122dcfd21be881395cb380b7887e50
SHA18e7f5e444aca90641cfad363bd6d2ef9991b3bf0
SHA25653016c31e35b990f508196bba559742b2beeda419679719906681a9a672c8680
SHA512e369a7454c0bfb3aa0fd64f3644daf98b24ac4e5ccbe61144c765ccfdacbbe09a4350df9389ba18e5ef066a3b6d3742fa1807c80a012e175f2e71da03aa8692e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD56461d3a211d4b8d0f66f0c46d1b7b490
SHA1c2c31be082cb4c381634f50a864e4b250220296f
SHA256cf256745b2c4fa10e73f4200daa49f2db0e6c2dc7d2d2c7bbc8c682b53b951be
SHA512ac1a60ce0e9e87560477d72efb686a651801af941219f54a1c4003702665185f48cee3f9a964222f51c03ad55ed0f635d3f50e64139c2cd30aafa17664256f37