Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/07/2024, 00:29
Static task
static1
Behavioral task
behavioral1
Sample
69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc
Resource
win10v2004-20240704-en
General
-
Target
69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc
-
Size
82KB
-
MD5
69924bcb5029826f6f64b54c66f67e4f
-
SHA1
70b15f249f52304494a40a3b5c66144297e1b194
-
SHA256
c6450238b8d31d193cf66d19fc54e598bae95ea43d4d0b71854fd72c46af1e16
-
SHA512
6766a5e4b0f93ad0f1c0ae0ed2d3d8d763ed87d62ec2141ac46c29d6f60462a633ba78587e708365155867d767e38ae39285634a68170df3ce895297e53ba033
-
SSDEEP
768:L1/pInbeZ/d7dkTgrh3fZMnZSV0DK6xHqGp/xRS:ziehnZMsf6HD
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1996 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1996 WINWORD.EXE 1996 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1996 wrote to memory of 840 1996 WINWORD.EXE 29 PID 1996 wrote to memory of 840 1996 WINWORD.EXE 29 PID 1996 wrote to memory of 840 1996 WINWORD.EXE 29 PID 1996 wrote to memory of 840 1996 WINWORD.EXE 29
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69924bcb5029826f6f64b54c66f67e4f_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD512184d8b26a04f2c9de2bb49e0d20f30
SHA11c31fb6fcb16cde94fa991a8d19d808f0c57a461
SHA2565c024b8054308d76d35b13602060ab2c0f7768a4744e76a5af11edb25bcac340
SHA512b024df4b631ed481ac4e3b76c857b0bab3ca7b5a6025a4c8665bf5da5e33450dfad33abae66cfad95d2e24309d35de2b818b3403ac5a4c98ccb240d5f8d3e4fe