Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

13baac7aa2...18.rtf

windows7-x64

8

13baac7aa2...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13baac7aa22e2a1585b5e2a83b51c564_JaffaCakes118.rtf

  • Size

    4KB

  • MD5

    13baac7aa22e2a1585b5e2a83b51c564

  • SHA1

    f2045605089330024e6d2c6585b13980619bb2f6

  • SHA256

    6d6482ec3bb4b7694149eb96a08c3b366073907a03060886c2a8fac644ae6232

  • SHA512

    89e7f28b769b4877af21b7bd1f309dfea996fee355f0636ecffdd6a639dd0b4c0f5196fb3cfcab21cffc3f77f3423521221edada478e5d5d9b1cc6c9b274cf25

  • SSDEEP

    96:ZcNzMGmG3c+auaJ0rk8O+DuyGplTVzr5Ub4:KNgDG3c+auO0rk8RLGDpztW4

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13baac7aa22e2a1585b5e2a83b51c564_JaffaCakes118.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2488
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      02dd966a597e55c295f4ba0d4656c38d

      SHA1

      202fb93e6718df06a21a38b83ecb27f29851d91c

      SHA256

      345e4b157bd6a3e879c1a5a2b9d8ed0c45db0a5f1a1938dc50110863dc3fe859

      SHA512

      71ad3d9efe553c9370a657521b36325af3cc00a99cbd516106b9f610290994c8fc574f68d9b95c638cbad759b6d902166ddaf3e5a68c5f09c9d816bc3eb78000

      Download Submit

    • C:\Users\Admin\AppData\Roaming\test.exe
      Filesize

      5KB

      MD5

      caaa86e2e815c1258e9e76ac42f12b88

      SHA1

      5b227fe8a62e681b474fdaec0e726d3114a0f1b4

      SHA256

      79f421ab2115223b265dfacfb5a5b61f09e631c9b281db463984409273954c38

      SHA512

      cd8a1ea09b69b1be6afa184c0e8dbb76c13a77225b7425f44f28c1459e132ff179d04cea8c9c636c1e56c22b960e88a598854b307d855a93bacc4ad873a78797

      Download Submit

    • memory/1176-0-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1176-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1176-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1176-18-0x0000000070C3D000-0x0000000070C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1176-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download