Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 21:09

General

  • Target

    9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    9b9efee36f7392e3f79958d0769e8e98

  • SHA1

    7cc675d528dbe8d128d7c67c5490d097e4f448ba

  • SHA256

    b099ef613e5c00e6b301e1bf60ac4eeece9aa7fade00366a2cb5eee903304934

  • SHA512

    9181d878c1d84177407d92a23bb594db4b406bef47f34667fc2a1c8d21fc2ddc8cf836f81bd1b878714a327f936f3c2a7967c498e059e623962c1a76678c74b2

  • SSDEEP

    3072:qvw9HXPJguq73/IKBWyhAdSioQP5GAroV0:qvKHXPJi73wAQUT+

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b9efee36f7392e3f79958d0769e8e98_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2824
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2388

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{92A6E5D8-CA4C-41FB-928C-6F3340398813}.FSD

      Filesize

      128KB

      MD5

      45f41053e9ac998e548a57c3c89f1f0a

      SHA1

      540a6f4a961aa2af9388889c6dc05b158e856018

      SHA256

      e8b5fc5b6badff226b7eed71b426fe16d4a9e377c62a4c510c10f2c2381e232b

      SHA512

      3faa6c8e6c737caf9cbb9b552d2f30f6157038d5d232768e4fc8000b34aeaef4b3507380478b636c071b26e6ef4483e7bfd58376ab0ce172b9f50540f6812731

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      5e3c387597fb395c672a45545291c769

      SHA1

      8502edf5e5c79d1afebaff9813de58e6083f3306

      SHA256

      d83bd44d3b200e24f34088597649bda1d1f01ef7cf4fac652b58105bb2702e5f

      SHA512

      3aa94558e701e983e86ddf43554da791bee68fccd26b2f5d7ee1e7694764f3f1b3ed13d4d112f218b69b407cdc07247f135b8633990e819202706da6bc83c7c3

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B2F7B5BC-2BEE-487F-82B5-A1D7937C2221}.FSD

      Filesize

      128KB

      MD5

      e0eccfd5d1d0f86d0d822c9ec6b7061f

      SHA1

      15761f8bbc71f740ea1180855123a8cc057764ac

      SHA256

      fa2f56e37d03977d67edd4a8dd52addfa775d63b4968fcdda762e6c461426ba8

      SHA512

      b67a5af67ad3d4e242b0ccd981aefa4fd688862f46c0f52a464cc278d5d707c325489dcba5d31502956c762641baf8fff68fe8224ad4c747fe923201e1e2d588

    • C:\Users\Admin\AppData\Local\Temp\{257D3826-53B4-45A4-A24B-DA9F8EE6EFFB}

      Filesize

      128KB

      MD5

      170a09d8854b55fa9b6fc6f75155291b

      SHA1

      8cd51839e8c02a69eb7546672ea83166146397c9

      SHA256

      42666ec32e01e443ab07bac8520846e8e4c07b018f20e8f0b17e0de469ff8d22

      SHA512

      75862d4f182abcfc661cebdb19e4ca3c08fe9e63a6e9d3d73803ebaea05ca5870255bf77448a11e33d75039a4cb7b45404399155d42d25b6b3b8e71d0787253c

    • memory/1324-0-0x000000002F361000-0x000000002F362000-memory.dmp

      Filesize

      4KB

    • memory/1324-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1324-2-0x00000000715ED000-0x00000000715F8000-memory.dmp

      Filesize

      44KB

    • memory/1324-5-0x00000000715ED000-0x00000000715F8000-memory.dmp

      Filesize

      44KB

    • memory/1324-8-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-7-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-17-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-18-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-29-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-39-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-48-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-16-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-56-0x000000000F6C0000-0x000000000F7C0000-memory.dmp

      Filesize

      1024KB

    • memory/1324-55-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-54-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-53-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-52-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-51-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-50-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-49-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-47-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-46-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-45-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-44-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-43-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-42-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-41-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-40-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-38-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-37-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-36-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-35-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-34-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-33-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-32-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-31-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-30-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-28-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-27-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-26-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-25-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-24-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-23-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-22-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-21-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-20-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-19-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-14-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-15-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-13-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-12-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-11-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-10-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-9-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-57-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-71-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-511-0x0000000000720000-0x0000000000820000-memory.dmp

      Filesize

      1024KB

    • memory/1324-512-0x000000000F6C0000-0x000000000F7C0000-memory.dmp

      Filesize

      1024KB