Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 19:18

General

  • Target

    97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc

  • Size

    243KB

  • MD5

    97577f16260e6f0a4aa45450e6a2a156

  • SHA1

    ba236bd03be3bbfbfd1898d6993c9321079fe0a8

  • SHA256

    9bc77f6c5cd90159c6171fbf7e2131048b0e5d0dfd21cef3d8b3f086dffc6953

  • SHA512

    f8ff8102b733c0feadae8fc50f903980ad5a7791e8c415969d18b7f222c4bd1e4cc6e089162c5f8d8fe86ebd6544798ff07c2ee44516a6da3a8903aee0c17377

  • SSDEEP

    3072:UOw0pklIiuq73/IKBdsZMdSYdyu0O9iCF60:UO5pklIo73wAzUYQOpP

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\97577f16260e6f0a4aa45450e6a2a156_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2872
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{31C0C5E2-6F3B-4857-B658-934B0AA864BB}.FSD

      Filesize

      128KB

      MD5

      b97d9636e977653a53b5d2039c7baf18

      SHA1

      d8d0c60014713ce1905f000da0810a136f11fe94

      SHA256

      abf61e34df6190c6fcc00eb9832f6358bdd57242ec2afc49098a46177f73f361

      SHA512

      08bde218dc9e6670e026fbf729a9e7b622cf591f4a6cce06fc99252aeda776254a71dedd394d9389e4e9861c7a5b537cbc845e6f7776a579f3c7584271e82d84

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      6616d93dc627dae8fa2482a0ce3f5d02

      SHA1

      1cf3d459a8fe59afda1d6c86d49b6022d5510cb1

      SHA256

      17656f8da0bf6305d684599937fcc65c6cb15463a9d2df44213e856a81ed86d4

      SHA512

      d26f79dcca17ee596905e94a74bc104a59a1353d6aacc1a117ea524dcae5680445bafa2a75ba05edae0cf1f721b6d8da14330658bab9e6faa797d656214c774a

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5699F3A9-DC85-4F5A-8FBD-EB579CC82CD6}.FSD

      Filesize

      128KB

      MD5

      de44ea1f25ce5bd84616c5ff00e09ca8

      SHA1

      48cf2f15671121d8e2add9e5d0930ef91de181b9

      SHA256

      5503007612d859173b9f9b674775a96ad56a15bf13d3f9d211b65cd76b29c301

      SHA512

      b0fd0e7be348b0a32b0141fea09fff444abc3ca8071d1e8503cbd4e106cd5c2cb2597db7ed7a4926d2535fe18555b6efc2c5ffb4da8c9ce17770f6d782866390

    • C:\Users\Admin\AppData\Local\Temp\{2EFCBC7B-1F1B-4127-98C8-88830F476CEF}

      Filesize

      128KB

      MD5

      853f486302fa614627e6e41af5786aab

      SHA1

      f7dd8c40fd7efa3c69095187dfbc281311248a4f

      SHA256

      1e038b1c036a2770efb7ccc92da5efa841732e499ab8e436d6eb8c8d93a5b212

      SHA512

      505fe5c507b1ceca23b45c9c79737d1f46af7935f837515e164f7a046637b9f1764f97838daf0d4cb445c5ff84b708be70f86a126e51c90ab1d83ed57e5755e9

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2516-0-0x000000002F591000-0x000000002F592000-memory.dmp

      Filesize

      4KB

    • memory/2516-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2516-2-0x0000000070E7D000-0x0000000070E88000-memory.dmp

      Filesize

      44KB

    • memory/2516-18-0x0000000070E7D000-0x0000000070E88000-memory.dmp

      Filesize

      44KB

    • memory/2516-68-0x0000000004E90000-0x0000000005090000-memory.dmp

      Filesize

      2.0MB

    • memory/2516-69-0x0000000010510000-0x0000000010610000-memory.dmp

      Filesize

      1024KB

    • memory/2516-524-0x0000000004E90000-0x0000000005090000-memory.dmp

      Filesize

      2.0MB