Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 18:59

General

  • Target

    974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc

  • Size

    205KB

  • MD5

    974a5ad1bafb5b79f82344ed58b4a4e3

  • SHA1

    eb5a049eed82dae88d367b815667502d72b0e34b

  • SHA256

    ed76647779036186cfe280b8a241fedd1fffd5950d21cf9cfaedfe9fbca0fcab

  • SHA512

    5b2149e16b4c89f13549e1ba0390ebf1a7f85a2f90fe2dd1c3ca935a3534be8dd349238dbf08f82d9dbd49d051b6f2d3d4a795e1d4cfbf3800f8fb6a7ad2839c

  • SSDEEP

    1536:StPrT8wrLT0NeXxz1DwezHrTP5yX5J8b0KYcwzKIMkZQoJ5LqWIS8W/E:S2w3keXxz1DfH4cQz15J5LWS8L

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2060
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2440
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2268
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2288
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      72f1b839058eeb817e86bc1f33926316

      SHA1

      2630472669851829769bf035da2e72bf55834a27

      SHA256

      e56f7fe36f6d06302a6b4770188562db07450b500fb0f01b04ae3ba535c6e950

      SHA512

      deece92123c52b37c7888da9e396a5c657b0dcc3e2f17f82b627e7f54994e61e4b6b9289d1dd729fd0bd78b5a7e375060ad41f25d93d753aed439fde88d2a4c9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EBBD5463-E7D1-4442-95BB-F4B00D645DBC}.FSD

      Filesize

      128KB

      MD5

      3fbf9680edf86a4cf49c0c4865ab5bd2

      SHA1

      38f1516d9179eb27f252f644cf0bb3866496a60f

      SHA256

      2832f77e4565ea5c62abc8b8fd75345fdecee513d595978db46eac0218b44997

      SHA512

      5ce5d9ac1d98f56eda242378fd8511a2330f6d4f64f985a6236095ee8d078a470a931e8eb278c9a06d92bb5e750b1e074ae9e0d7f16b577199aa5be320640bb9

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EBBD5463-E7D1-4442-95BB-F4B00D645DBC}.FSD

      Filesize

      128KB

      MD5

      cf5abed52eec076a1f9e41606b9cfd72

      SHA1

      a906fc39b5dc93bd9fd24c9ffde37c9298cbdba0

      SHA256

      120eca5ed656b64c187222bc876e35f44090c6dfcc56271b31cf8a131bee628d

      SHA512

      15022bf7a6f9d05de9f823933779283fa18dea420d10d350eb5e4f4c0a133dba9fa63c01fa3ca3589a9892aa56edd78f5d254ee3c32856f4cf5d622a12775386

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      56e087f7530effd43208a25f5fc55457

      SHA1

      ffe520f400194da644560273afa8baaf9f82c9ee

      SHA256

      b4c8e7f362c31cb33f407388505fe0d2f8e676a2fa2dea118e56d6b073eddc78

      SHA512

      65e349e95443b3f010584a12aa5c8f7fbeb83d1344e2e57dc8a15c3d6acce43633d564f13292217659ac107b6b6ded0e539ef844a9bfcff48a0bfffbb18c803e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      963d9a0c6ed253328c24d527c5431974

      SHA1

      22458ee61cf2ff4d29ec23f32f10352bf564de38

      SHA256

      71b8cb086f3d730491489167a11bf09ed48293544a8252a8684580b00e7b9394

      SHA512

      a1eee1f931c36909638ea436c5af0232242f8ed4caee5a09dcca5ad29f10107daf8e043b46f2138d3e1a688c71fb932b3db772158755ee5424bc0d65355e2dbc

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      cf2a5a0ea9484ed76f90cb0a05cad977

      SHA1

      1440eafb2433d58ae03e6c5a0edf5cd6a7ad7644

      SHA256

      00aef7ef9c100ba13e754f435cf918f938d3b7617705b06175deef0417cb4388

      SHA512

      d593c86d87b83a3bd9e7cad2b9c2b05f16c607be5e1c188dbab46bf1f8441f2249ef710c99f21e7529429f024716ae3af7c0b4a40230e1c8c9f614ded9d4609b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{93DF98B1-ACDD-49A8-82C4-21173676A784}.FSD

      Filesize

      128KB

      MD5

      699756aaf0af3f43ee837f30caea8ba5

      SHA1

      ae1489c9f2b241b4bebe2373fe947425eacb9448

      SHA256

      18f6f355e2ecc6f5614233bb61b3e1c7bb2ea74d7091cd98e6262f43b0134b1c

      SHA512

      ccd1fc749b66024dfbd3b6795415a21181b69a6c63dd958a8ed5fea2c29510fb944022611a1cdb41cb2fc031f5a44d27c7762177748c686853f37e91944fd68c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{93DF98B1-ACDD-49A8-82C4-21173676A784}.FSD

      Filesize

      128KB

      MD5

      1fb0c6de9a5c263cf6ebbcc5f6df7357

      SHA1

      71e7c8c7cb86b3cb1c13c5815d73c35290481417

      SHA256

      52f5f117c94788f6de9f15f8320a8c26bf8609f49133b2f55c04c6d200452f66

      SHA512

      7fe442a851abbb90dbf3ce395ce6d3e3ec8b977ba46e4b5b8e4893b68265f1efc632348fa0a3cf7352dd87cc8d94ce8771faab623f32b1e810675fa4bf63ada4

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      83affe25e5fcb1c8bba14d593717576a

      SHA1

      45fc54e0a7670b2ec91bca12457c1cde8622a538

      SHA256

      51ed2609e8b5c4d32615201f50f0460e603e9bc97625a807077c00165cc93fd9

      SHA512

      3b28fd42e185dda70f5a011f0552512b2b585862dc299bcdb5adae3fd8d5bfbe7fefb3ed7bbd7cac77b76356d6ac6f02dfa433447f0a6fb295873fc19328070c

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      23b9b5ef23676e73a1bdedeb3d73187d

      SHA1

      c9c32bffc48cb1c46618fdcaf51e6a01bb89e9a1

      SHA256

      17a8f19d0d4b7a001a9d9f57bef8550036852b831df7719e183f6c0a1a2940cd

      SHA512

      bbbd260629310e4793b57839ef8bbe10c3e2839164c176567059b751f7fb9779035638dedf465ce250a4885c4d92512e95343a1b096ca45ad54cf3ea860219a4

    • C:\Users\Admin\AppData\Local\Temp\{DA1AD38F-A977-4DE4-9BF7-563BDDE208D7}

      Filesize

      128KB

      MD5

      dbbe06f386e470618fb3e681f127bf86

      SHA1

      17e2899b2f66fc596de2223a17a625d4aeda738a

      SHA256

      9c6de96bdb66d8a90ee34493107c96bf05fb16dadbeb2f467a8675eb3106b11f

      SHA512

      cbd6ff935d4f520d097a514f51ff307c0f96d72d58ce73ff445a7a845ace9f65def7256b85d6c951d6ab1dd3021e2ee1f1f2131efe89782cd476d33117870b37

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      82cb30a3cd955d19052049999587bb66

      SHA1

      b1987532d86292468618f9ff7807ccd3af243ea0

      SHA256

      783e45e0a765740a9477eae6893ea1d6524651c3e41eacee0e399db85d76912d

      SHA512

      69f01cf8e9ceb6a465b996b722c7485c39ea0afeef6292bf9654ffff20f6fad4bf4d4ca84ab63f49b9cf237c97d91e97fbd0f76fa8fcd63f786af7018009c379

    • memory/620-55-0x0000000004800000-0x0000000004900000-memory.dmp

      Filesize

      1024KB

    • memory/620-9-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-174-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-270-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-222-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-319-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-367-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-465-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-417-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-57-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-8-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-117-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-11-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-575-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-0-0x000000002FCB1000-0x000000002FCB2000-memory.dmp

      Filesize

      4KB

    • memory/620-56-0x000000000D4C0000-0x000000000D5C0000-memory.dmp

      Filesize

      1024KB

    • memory/620-10-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-12-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-7-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/620-5-0x0000000070EFD000-0x0000000070F08000-memory.dmp

      Filesize

      44KB

    • memory/620-2-0x0000000070EFD000-0x0000000070F08000-memory.dmp

      Filesize

      44KB

    • memory/620-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB