b76296d33b324195937257e98ff545fa525399c3f54ec9ed090e29a09ea87e5e | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

8

76e3f55356...18.doc

windows7-x64

76e3f55356...18.doc

windows10-2004-x64

Sharing

General

Target

76e3f55356e2a30593d436ab0880eff8_JaffaCakes118
Size

113KB
Sample

240526-1pbprsdb7t
MD5

76e3f55356e2a30593d436ab0880eff8
SHA1

6b1725b71bf2f01ca5b6b7f4c2b4252c67a6e2b1
SHA256

b76296d33b324195937257e98ff545fa525399c3f54ec9ed090e29a09ea87e5e
SHA512

6d4e48af3634cea0c8f729a171c51b65cb8b9755cf173867cf201a6934a771a315cb3540c0bcd5f47a58ca200fa0d05a052fbf1313717debb7ca5ccf192cfa8c
SSDEEP

1536:0TxjwKZ09cB7y9ghN8+mQ90MTT+aU1E0NpFukKH6FH:4xjnB29gb8on+E0NpFEaFH

Score

10^/10

execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

76e3f55356e2a30593d436ab0880eff8_JaffaCakes118.doc

Resource

win7-20240508-en

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

76e3f55356e2a30593d436ab0880eff8_JaffaCakes118.doc

Resource

win10v2004-20240426-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://baza-shartash.ru/hkqXqT1

exe.dropper

http://anapapoliv.ru/Sp4na

exe.dropper

http://shorecrestschools.com/nnQkN

exe.dropper

http://comicole.com/2HZ

exe.dropper

http://elartedelaaccion.es/6Hyl

Targets

- Target
  
  76e3f55356e2a30593d436ab0880eff8_JaffaCakes118
- Size
  
  113KB
- MD5
  
  76e3f55356e2a30593d436ab0880eff8
- SHA1
  
  6b1725b71bf2f01ca5b6b7f4c2b4252c67a6e2b1
- SHA256
  
  b76296d33b324195937257e98ff545fa525399c3f54ec9ed090e29a09ea87e5e
- SHA512
  
  6d4e48af3634cea0c8f729a171c51b65cb8b9755cf173867cf201a6934a771a315cb3540c0bcd5f47a58ca200fa0d05a052fbf1313717debb7ca5ccf192cfa8c
- SSDEEP
  
  1536:0TxjwKZ09cB7y9ghN8+mQ90MTT+aU1E0NpFukKH6FH:4xjnB29gb8on+E0NpFEaFH
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2025

Terms | Privacy