Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 18:46

General

  • Target

    973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    973fbc8411b62a64fe079e7b50f663fa

  • SHA1

    592a277ed9b564df350fc4b7f5f68b439d4e33ac

  • SHA256

    a2f5d168e115027b80d8445fd7b48504a49b2d04c603e404ac1f2d4ec2708a0b

  • SHA512

    26e8dec8b6428b93e1e304d68a2f8b94ddf8905e125341e069781fa3e79478dc276ebab8420e5ec1101923ebcee7f88db64485f51d679efdd8a69c0d010db317

  • SSDEEP

    1536:0terTkw9HnXPJguq73/IKB5Kby0g1CHrTPmy3K/dRYBEbk6TXubT+rWwta:0vw9HXPJguq73/IKBWyOcdSabVUTYhta

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\973fbc8411b62a64fe079e7b50f663fa_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{327080E1-9D49-4B0D-BA43-AEFA06D63D48}.FSD

      Filesize

      128KB

      MD5

      f824df0fab5e960cd18fa6d7847187b1

      SHA1

      45cb31bd47223f7ab89b7440d551477227210c1e

      SHA256

      ced61b30874cbe1fab6dbeea289e1d515324c507fcbdc0aa915047686cda00cd

      SHA512

      ef8ac3ea4a6cee424d70dbff7c8084f12a1bf7bf81cb2dd26ea20fff55ec12a8fb0eea9d8b8f5f0921e027df928a42ea3d83325526295cfd8075184d1737c177

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      f6d6ab9aa5f48929ffc9960993712dfa

      SHA1

      672700e695192f3c71381c73a63f348c43c314ce

      SHA256

      3d78cadaace4e3bac947a7dce9431afe3c67ee1b213ac4aa747267d5be5e8a9b

      SHA512

      e86dbc331fd661d5f419c8f1ebe2e657177f8d2734ad7b68aa913ea4cc6d3bf30fce14665cdcb88d5440a998f436b40260620275aae3a5c6f64072e6136f9d2a

    • C:\Users\Admin\AppData\Local\Temp\{E58CB990-D752-4778-A130-9D3AF9E86F4E}

      Filesize

      128KB

      MD5

      eb6759e1672c8e8ebf923073d92c6f36

      SHA1

      0330cdc88d73fc7a75aceb96141f6bc37143aac1

      SHA256

      df4f1be913a218f65ccddc80a4b547db159e085ab4da4c139c5e98b22948ca53

      SHA512

      0ad3ce072e3e339ce82ba20b977b0c1b3a51b123f09d254f97ef99b46e646fb18c0a203218e2313d421d22b2213a2727e89ca991c98f8204ba4a9be47a8aacf9

    • memory/2120-0-0x000000002F331000-0x000000002F332000-memory.dmp

      Filesize

      4KB

    • memory/2120-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2120-2-0x00000000710FD000-0x0000000071108000-memory.dmp

      Filesize

      44KB

    • memory/2120-5-0x00000000710FD000-0x0000000071108000-memory.dmp

      Filesize

      44KB

    • memory/2120-55-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2120-510-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2120-511-0x000000000F3F0000-0x000000000F4F0000-memory.dmp

      Filesize

      1024KB