Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 05:45

General

  • Target

    99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    99182162ec6fa6c4752150d37e3f8a7b

  • SHA1

    34443a18c9ed12b81f2d83c410d9b20135194c6e

  • SHA256

    dc200eaa002ca7c77b6a41874ed1905ab31095adab67e438dc0ba94810d9852d

  • SHA512

    c66823a06666c55b609b2e5a54b6b91d429084e10dc50f10a777c94f2cc9f84b71e085d7fe36fa16cbd654534c11a8c51bb6472be39f3b13d637d06c79119bcf

  • SSDEEP

    1536:Eterikw0HJzwlIiuq73/IKBPdbs0gj5HrTPjyaK/dRYt2tXOrBY81t7jReq5Lqc3:EOw0pklIiuq73/IKBds72dSOKb78WLOG

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\99182162ec6fa6c4752150d37e3f8a7b_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2808
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{68307925-2FE0-434A-9A2C-9B4DFC1C405A}.FSD

      Filesize

      128KB

      MD5

      ab84b8d3597abd34fe487504a3e1b556

      SHA1

      347737ce1ed788cc6a0665f7cc5c5c2ae99f9f92

      SHA256

      2ca62a187610bd80ef0060591c8ca9a9de640811a8910a8872ffe42d05c0a617

      SHA512

      b74ead6acedf336007e8557bc40575b03265357a0b43b30dfcb3d19886d0afacd6b823b01724abf8d4844b3251b61ff666c4b4541d64dccb4ea6c5ca61121586

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      1a565553713ccd850e24dc82aa728658

      SHA1

      e12e201ce8887995f56fac1a013119494fc3f5e1

      SHA256

      c076c7b9c42a6a255b51b150d62e533d34b3f67d794b674dbf896ec0af96d156

      SHA512

      90f7168bdda4d9eff9d80765377d34fd2957dcdf7fc4c3dd45584fa5f911894385db4862d9c6f1adefca7bf5300bc4ae06ae47333308edb147380e692dc45fbf

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DDB76429-0948-4620-AFA9-6156DBB4A1A9}.FSD

      Filesize

      128KB

      MD5

      2c563b9ab027bbcfad2803c9986513f1

      SHA1

      6c62b4549a92abb92adf54561143b63506ac2551

      SHA256

      01c153b1d4f44ace7d83409ad87d331fdc3e5fe9bbf9195359583bf86949eeb0

      SHA512

      f86ec17645dbac6f9feeeb811cf073522f70e58132ba6d9a55e3be38a79e50013d302ca798b2c56950a0995c4fac3d41a573f54ead578cf9c1709f10044034e8

    • C:\Users\Admin\AppData\Local\Temp\{A6EB12EA-B462-49C5-AFC5-76001F229851}

      Filesize

      128KB

      MD5

      99cf16662bb9908670e4dbf7ad4ab22a

      SHA1

      cbc0b2346e64227d64fe060bcdd2b843815b023f

      SHA256

      9ed696d6661c28b46a2fa1346d7e0585128f5aade5513a34602ac018b26d4e96

      SHA512

      ad4e5dd00b81274b367234175095f4a4e98f3b0caf3255cf5b086804847fdbbb87fb01025675f43f5e980b51f6497526489be705aed3f3e16d405447c07190b5

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2544-61-0x00000000005C0000-0x00000000006C0000-memory.dmp

      Filesize

      1024KB

    • memory/2544-62-0x0000000010930000-0x0000000010A30000-memory.dmp

      Filesize

      1024KB

    • memory/2544-517-0x00000000005C0000-0x00000000006C0000-memory.dmp

      Filesize

      1024KB

    • memory/2544-518-0x0000000010930000-0x0000000010A30000-memory.dmp

      Filesize

      1024KB

    • memory/2544-11-0x000000007323D000-0x0000000073248000-memory.dmp

      Filesize

      44KB

    • memory/2544-0-0x000000002F441000-0x000000002F442000-memory.dmp

      Filesize

      4KB

    • memory/2544-2-0x000000007323D000-0x0000000073248000-memory.dmp

      Filesize

      44KB

    • memory/2544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB