Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/08/2024, 00:47
Static task
static1
Behavioral task
behavioral1
Sample
8264f0f80077c2bb7deca3f8c489bdbb_JaffaCakes118.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8264f0f80077c2bb7deca3f8c489bdbb_JaffaCakes118.rtf
Resource
win10v2004-20240730-en
General
-
Target
8264f0f80077c2bb7deca3f8c489bdbb_JaffaCakes118.rtf
-
Size
12KB
-
MD5
8264f0f80077c2bb7deca3f8c489bdbb
-
SHA1
736c59bcb2f65a0575d9cdb19993a3336c246906
-
SHA256
1a4ef62200ee36c2b8c4dffff031cba842d2df0a51312708a062f744bded6ac5
-
SHA512
bbb6dd6c7cd9dc32b69aaf18775602cdfdf6860c3bd6c56e5da367e0cce9b203d8560ac92d570bf5681878c5c5b960e4317a4d9f329aa426f2b1510c7940848b
-
SSDEEP
192:+WX7h3JKumCAPMGAitsEgev0Y9HPO1kdBRfeKCrexaxKHzGkVJ:+WLtIIA/AGDdv1HQkJfWreIsTt
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2588 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1948 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1948 WINWORD.EXE 1948 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1948 WINWORD.EXE 1948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2504 1948 WINWORD.EXE 33 PID 1948 wrote to memory of 2504 1948 WINWORD.EXE 33 PID 1948 wrote to memory of 2504 1948 WINWORD.EXE 33 PID 1948 wrote to memory of 2504 1948 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8264f0f80077c2bb7deca3f8c489bdbb_JaffaCakes118.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2504
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD579159f12fbfd307cf97297457005a698
SHA140377891a4230fd2ae11005e56174350be9bcc82
SHA256f56b24eb70b7b7ebcd59fa8c7931399f2a315821274a6c446a3a8d67f00d154a
SHA5129f7e82e73f26b83d51dadc5929ed9ad7be525f655295097b7430d8de07aa3078919144b11047348dcc85f3db25a091316c1e02f6dc85e7adfe633a3bde01eff5