Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 23:10

General

  • Target

    9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc

  • Size

    234KB

  • MD5

    9bfedc7eaf8c3fab6b036b434c3571a6

  • SHA1

    106f7f5925ec5be17d59030967905fe9f78722ac

  • SHA256

    7af2939fc061dcfdfcc640f224a4f1f73efa5b49113f0900324def05c0ec84d3

  • SHA512

    630eca49e7a87149e472e52a00e253801279fb804349aaad847f0eda4756d821b5711720f355790f2fb9636b9b668b5ee10e3165010c39d4fea412cb6538f7d1

  • SSDEEP

    1536:CterThwxEM5OsmqrmrAK9hbUrHrTP9yQK/dRYz10RzwadtVXMz:CUwxv5OsmqrmrAKH4adSzKkMLMz

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:936
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1048
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:772
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1708
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      979da8e51b79a1d7b3a5f422cb9a08e3

      SHA1

      078b63ce6b7a279129e3665bea0feff3205f9aab

      SHA256

      422a5541c6ed465b9084ea1f8c3b4a61f2f9e1723d0bb401a3a37d4af2192b9f

      SHA512

      ed68e06533c66a5b73c9eaee3dee6a4ccaab4df9f3e432f3f7bbd3e6025e71fc3385a0c7118179f55931e63a57d6d079c7c5d91d9bfb9218e912e26d4deb1f85

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD

      Filesize

      128KB

      MD5

      46c84d332708de5898f1118027ed9022

      SHA1

      a8c0a371260482c9049996cf44a90706699d9b72

      SHA256

      d37fcc39381c27dfa43bb2d9788e1e9ff7923996f174b55ad8bfa44d1d38e8e2

      SHA512

      0c006212ca20e60d8de90cb92b0ff817d088d271722a51d3ca994bae31e67e82c76aa7d743a33e7489e862ee3254f019d8b2d6bcf821e6baa80465e4527290d4

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD

      Filesize

      128KB

      MD5

      acb2dc9d1d60d4be52b34a01105e33d4

      SHA1

      2977a8e254de0fe91731c3c5555ae1dc51b6a0b0

      SHA256

      cab03330db0ce720331bbe997efb37ca5d3bb5183748f3977f9693fdb1245508

      SHA512

      e750891a8b70af849f157713df7b887175b582633b05d1e45907e410e24f3d9407dbd55436ba5dcab018f54504d4c7914cb1c5c70a32667d4a7b2563118a22cb

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      09f7dfa9087bfb4b4ecbc8b2bab40f14

      SHA1

      74e95353545c43304af23e36d5f74c25bc7d3eb8

      SHA256

      39cc0e9bac70124e22a1bc5fb093baf9f7c0542d379c577c3f911a0ea0ed5dda

      SHA512

      2eb717dbefee23c2e858f5cb9511df31d2b09c5d3a5eb5cdfbac4cb550912e212a06f11f131327ec65aa62da96d36ac5eef8b5734fbceed642a1b8797c7dba2c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      8ad597caee326e32ef7f66586f74b05c

      SHA1

      413308abc84d8126a29f3c3e15b2d37ac9df4137

      SHA256

      3afebf6e75b0f119b62a9e48a8eb02b2bff8a79c227def46bc45d6702e60a5d5

      SHA512

      5ea0c45b9fd21732bb949fd2f945d472f65d0f5f12151cd61e00f478f6444e9255bc2606c9b502aba40306a5d6fbff2a5be049953178cc6e175c79a104715830

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      0c7bafa3d83761b5c2ba870cfb0d4b00

      SHA1

      79496b6c2591ce83ea62167232b45e7817b20a1a

      SHA256

      3c3a28ede599c11e1b7d697d8a6ebcb32232f88d08698b8a0065577725eabd42

      SHA512

      45fdc6e937077a4b1d8685fd4260dc705ce402c2a5c0972c7a0cce2d2b5e002726f28b685258e3f37f4a0f5c2e7999cb762e201da0d546ccb9378b9bbfeaa002

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD

      Filesize

      128KB

      MD5

      5cb7d1ee95b713b55e804e56f067b0d1

      SHA1

      4632fe9c05d64fff635998ae1b7da26fb8bf1ba4

      SHA256

      d6fbcfd817c92420bb1d5878a4f53e1f1425b22d337565b5039d0885cc96ddc6

      SHA512

      24067b4989b439c563af5341e5b65be4394afc6dee0e2562e846268d58395cecce198a9b415668e8079d0a51a9098d6d79bb9d6351050c3b5e7b5cce1549c03e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD

      Filesize

      128KB

      MD5

      c588226cfff4e080029eacaed537deb8

      SHA1

      2686f5d06f8ecb34ba1f8e8589c0b06fb757ac24

      SHA256

      3862734e0442b5eda9d47d4118b8dbb3fd8d84157c53ea6b9f16b98ba054316d

      SHA512

      e54468646eb90f660724a9f08aa12ef3bdcc67b79099b932e3a0fd462fc441dcf6d3fe1cf1bd07cce9ac6ffb8e16a406f4669bd057e02640525243f1dcad05a1

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      2463b70ae81dde2232078bbd32e4c620

      SHA1

      6ac326eb9ef865647e798ad890e8f094f6f0a531

      SHA256

      bd66ff8f468e97e519ecbd6ecf78d61a6a9bf831099bef53363bce8e234c3ee8

      SHA512

      710f73a2f8337590caa81b9489e802d8fe63a9d283e02542cf3de7d73a610a2bd907d67c2081d69024e73f69cc09d3e9893bd8e43b2334f6d542b344f6a0f5e8

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      ef52b10af51f5821457dee22b583ed36

      SHA1

      be0223f91758f86fee3d093efa5f44eb6bce7458

      SHA256

      b0ec45f16c8fa8887992418b72f2d162c82a82824ab2b323e1b6b05d6b17c8cb

      SHA512

      ca8000b90f0f9564c3641ed71ab8c4e0ab854edbd701ecee99593b41331b54de2bd4827ca16d6cd2ac0e5e2140f73945ba0bb670cac7fafb8d32b6728516154e

    • C:\Users\Admin\AppData\Local\Temp\{C077EC55-D48E-41C9-A22D-FC041D783642}

      Filesize

      128KB

      MD5

      524ebbc9e961ac36c6c3ea3c90c88cd9

      SHA1

      b5198e00fac9384a4121e59e4694d35ad6889067

      SHA256

      24961422305ecfefd26e5e430c27442ce7a525dc4bc7fd49dc6e4ec89dac2044

      SHA512

      d5c91415b88f375f3bdef1dfb55d30f8954e4910f3a1e78ad96f102161f353590a4d7c6933493b0b60f7e27b959dd36d2ff0fdffef066f980e9d592ecbf54152

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      16813db43aa061d5ab7e426a218e1a2c

      SHA1

      3aede5b75652f018c56588c12a7852ae4870fd75

      SHA256

      85589d05630af3ebcb16724c8814c09c43b7e38ea3b71ae5006feede59e2f8c9

      SHA512

      55c1d31f57a530c3663bcf30d767988b3f239a522d7ffe9f8b31637421e1eca0c8eed448ebdb2e434b0912b3908049df5300b54a531527efc91848d762a685f8

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2308-36-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-29-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-58-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-56-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-55-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-54-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-53-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-52-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-51-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-49-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-48-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-47-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-46-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-45-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-44-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-43-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-42-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-41-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-40-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-39-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-37-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-60-0x000000000F1D0000-0x000000000F2D0000-memory.dmp

      Filesize

      1024KB

    • memory/2308-34-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-33-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-32-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-31-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-30-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-59-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-28-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-27-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-26-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-25-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-24-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-23-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-22-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-21-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-20-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-19-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-18-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-17-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-16-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-15-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-14-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-57-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-38-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-35-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-11-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-9-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

      Filesize

      44KB

    • memory/2308-2-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

      Filesize

      44KB

    • memory/2308-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2308-0-0x000000002F381000-0x000000002F382000-memory.dmp

      Filesize

      4KB

    • memory/2308-13-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-12-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-50-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-75-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB

    • memory/2308-61-0x0000000000710000-0x0000000000810000-memory.dmp

      Filesize

      1024KB