2caf05fb34bd7d621953ca25eb813c6ed8bcbda224727f82e072e3417ab2fa65 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

8

0fe8024219...18.doc

windows7-x64

0fe8024219...18.doc

windows10-2004-x64

Sharing

General

Target

0fe8024219742a269712cfa35bcf3902_JaffaCakes118
Size

182KB
Sample

240503-hjcqrshc9y
MD5

0fe8024219742a269712cfa35bcf3902
SHA1

ad2a753062358ece641c1449c65a6fa49e68e5d2
SHA256

2caf05fb34bd7d621953ca25eb813c6ed8bcbda224727f82e072e3417ab2fa65
SHA512

915c6745fa0bd520784c472612b51056ab8ca6a0e9c134f5a23ebd12f89c31ce645d21e0019ce4043ea5b53a5bf7880430c5383b77627186aa173246b50e9bf2
SSDEEP

3072:9Ny2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUzasiv8Ok7X:9Ny2k4PF7tGiL3HJk9rD7bzasiv8RD

Score

10^/10

execution macro

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0fe8024219742a269712cfa35bcf3902_JaffaCakes118.doc

Resource

win7-20240419-en

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

0fe8024219742a269712cfa35bcf3902_JaffaCakes118.doc

Resource

win10v2004-20240419-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

- Target
  
  0fe8024219742a269712cfa35bcf3902_JaffaCakes118
- Size
  
  182KB
- MD5
  
  0fe8024219742a269712cfa35bcf3902
- SHA1
  
  ad2a753062358ece641c1449c65a6fa49e68e5d2
- SHA256
  
  2caf05fb34bd7d621953ca25eb813c6ed8bcbda224727f82e072e3417ab2fa65
- SHA512
  
  915c6745fa0bd520784c472612b51056ab8ca6a0e9c134f5a23ebd12f89c31ce645d21e0019ce4043ea5b53a5bf7880430c5383b77627186aa173246b50e9bf2
- SSDEEP
  
  3072:9Ny2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUzasiv8Ok7X:9Ny2k4PF7tGiL3HJk9rD7bzasiv8RD
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2025

Terms | Privacy