Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
00f623bfb36a253403669fc4dec5f791_JaffaCakes118.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
00f623bfb36a253403669fc4dec5f791_JaffaCakes118.xls
Resource
win10v2004-20240802-en
General
-
Target
00f623bfb36a253403669fc4dec5f791_JaffaCakes118.xls
-
Size
98KB
-
MD5
00f623bfb36a253403669fc4dec5f791
-
SHA1
67fd817afb56cf19571f688ebf76143cdded1c3d
-
SHA256
b94df8bbdd72e9b935b14dd2de7746179ecf2864fd3f6ba8c51888e55d41cece
-
SHA512
5b505acbca9594a5b6f01cce77a4b004faeddc679c7c9712894bd74232f6a5351c3ebe2e0f89011e5bf1728d28b819f6c3922850b24bc2d0e0a7fa1a8ba779c7
-
SSDEEP
1536:sxxxxENLxrgxFtVwM8jIT+M0mTsbaP6hjSszg/jAyOWVbrzQ7ITkbA2syfshtcJt:eVaWVbrzQ7ITkZXimJtXw1d
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1824 1180 cmd.exe 83 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1260 1180 cmd.exe 83 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5024 1180 cmd.exe 83 -
Deletes itself 1 IoCs
pid Process 1180 EXCEL.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\86A75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1180 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE 1180 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1824 1180 EXCEL.EXE 87 PID 1180 wrote to memory of 1824 1180 EXCEL.EXE 87 PID 1180 wrote to memory of 1260 1180 EXCEL.EXE 88 PID 1180 wrote to memory of 1260 1180 EXCEL.EXE 88 PID 1180 wrote to memory of 5024 1180 EXCEL.EXE 89 PID 1180 wrote to memory of 5024 1180 EXCEL.EXE 89 PID 1824 wrote to memory of 2744 1824 cmd.exe 93 PID 1824 wrote to memory of 2744 1824 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2744 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\00f623bfb36a253403669fc4dec5f791_JaffaCakes118.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD5ccb077e224d5a157833b974f9702b44e
SHA1d020a379e61539df140f03964dedbaf64886848b
SHA2562416fb4b7d11a138bfe48ccca9881bf71e458474d4e1d7057514a1123edf4703
SHA51283dd669c7fc88ac4257b15ef7d7efbb2540a16935d75fcbc606237d14b4649f839e1883384d16bc94e2788b7c3949ea61992ba1c60859171a3adc6be59920ae8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5d6a1558bc94027219013204367e71b8d
SHA1864d4766683d3fcaf4a4d52ae18e3b9421cd3a39
SHA2568b3fcffdc5a84cf4336ac0701903dc8e0337f74bb598de31f978edd2102278e8
SHA512536b09df92d217d79d979aed057b31ed7ceec8141a18ac858c28d9ad44058a633cb9355d33e1f028e9d283eaf975fb6575be7dd7b57014b82ea4d13f9c11edbf