Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 01:33

General

  • Target

    59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf

  • Size

    256KB

  • MD5

    59ed1aab3071d7f437cd3bf2b174dbcd

  • SHA1

    b5824490723cbd3f783b338d8f98385de66bd53e

  • SHA256

    4655abf24bcd2f0eec2cdb7114e9f5651b6a7b3d638d51e8f0cdf14ba05e298d

  • SHA512

    fd81bdeb615a66574dfa10af7e4791a8dbf72d0f0edaa04a9c4d0a2b640181ca59251995466afa21dd688b684fe8cbd5369f09e455e624c5e208fb833c2efa20

  • SSDEEP

    6144:k0SbiAFcJX1KzCOBRcuMuSN23XiyZa364kTF3OVa3My+Z1L4m9PIiusC:k5biAFcd1CjK2CyZaq4+l73My+TsqIie

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2796
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      68bc7d0384019bf22ac5156fbf4ce65a

      SHA1

      6f9c49f95c8a549d293d77c7ed54a8974739f30f

      SHA256

      fbcf1d8926c22e1e20e6330e54b93ac11120980d7c2bffc48752b01d1e995ec0

      SHA512

      21da624d16c2c7eca9cfece3ef60bcbd94430900a93669578e43c1fbaad593e68b3b03969385ee42f89de984590b1a519d356cd528ce3a43c540c2a02d7ec716

    • memory/560-0-0x000000002F071000-0x000000002F072000-memory.dmp

      Filesize

      4KB

    • memory/560-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/560-2-0x000000007166D000-0x0000000071678000-memory.dmp

      Filesize

      44KB

    • memory/560-9-0x000000007166D000-0x0000000071678000-memory.dmp

      Filesize

      44KB

    • memory/560-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB