Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf
Resource
win10v2004-20240709-en
General
-
Target
59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf
-
Size
256KB
-
MD5
59ed1aab3071d7f437cd3bf2b174dbcd
-
SHA1
b5824490723cbd3f783b338d8f98385de66bd53e
-
SHA256
4655abf24bcd2f0eec2cdb7114e9f5651b6a7b3d638d51e8f0cdf14ba05e298d
-
SHA512
fd81bdeb615a66574dfa10af7e4791a8dbf72d0f0edaa04a9c4d0a2b640181ca59251995466afa21dd688b684fe8cbd5369f09e455e624c5e208fb833c2efa20
-
SSDEEP
6144:k0SbiAFcJX1KzCOBRcuMuSN23XiyZa364kTF3OVa3My+Z1L4m9PIiusC:k5biAFcd1CjK2CyZaq4+l73My+TsqIie
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2016 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 560 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 560 WINWORD.EXE 560 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 560 wrote to memory of 2796 560 WINWORD.EXE 31 PID 560 wrote to memory of 2796 560 WINWORD.EXE 31 PID 560 wrote to memory of 2796 560 WINWORD.EXE 31 PID 560 wrote to memory of 2796 560 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\59ed1aab3071d7f437cd3bf2b174dbcd_JaffaCakes118.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2796
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD568bc7d0384019bf22ac5156fbf4ce65a
SHA16f9c49f95c8a549d293d77c7ed54a8974739f30f
SHA256fbcf1d8926c22e1e20e6330e54b93ac11120980d7c2bffc48752b01d1e995ec0
SHA51221da624d16c2c7eca9cfece3ef60bcbd94430900a93669578e43c1fbaad593e68b3b03969385ee42f89de984590b1a519d356cd528ce3a43c540c2a02d7ec716