Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2024, 02:15

General

  • Target

    9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc

  • Size

    241KB

  • MD5

    9c9013e611ebbbbdddaa4e0e01494262

  • SHA1

    4f9a2643c7b3db7bfb47c955f83654cdbd35da79

  • SHA256

    68c6883719fdb97cee4036fedfd965d88a683c1af9597b51a008180d2361f15d

  • SHA512

    dd60b0554b95aaa7d5ca619af8e1a356a97e9a0505e9cd0ac384bc147861878ebbf35d8e4a96727554c1885ce96fbb46c6bc76ddafb2878d93b471fe491eccbd

  • SSDEEP

    3072:gvw9HXPJguq73/IKBWyuMdSQHgJLrL2h2hrtc:gvKHXPJi73wA9UpJLX2IhS

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9c9013e611ebbbbdddaa4e0e01494262_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      efc4783e3e0719474da7a6fa00c83884

      SHA1

      4e01c4861c87f45fbe60f6dc49f449725f774051

      SHA256

      ef733bb1ed6140bc506eace8743ea40e2a74af5f7cbeefb4942708de9a283c86

      SHA512

      c1166608eb7eceda5ed01c2c1ff4f872cb7fc355cd45573b70046b9c76e0ea8775700f9b29ad8676f49f2be535a5e0cdf93b7dbe3af4559db0048eda521da064

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4756141B-CC64-4DE8-9582-DADFCAD4043A}.FSD

      Filesize

      128KB

      MD5

      7532a143517a3d20ffdc2e92ebf3e7de

      SHA1

      5960bcf0fe3b4be3fc944dc98bdd9d9e8b3a8487

      SHA256

      686c216096804f9f986f8cc5b3caa38c80d23b430f4a37bf9d015eeea1dc1a75

      SHA512

      ce4cace3fe9e98368c4d843a0c1b3e382f9ec0617a7cfaa089a997f79ab6f8af0a7eb33d37a82385142e76a70a6cfff378dc60049ba782cf73a9306e88da6cc5

    • C:\Users\Admin\AppData\Local\Temp\{F443A94B-AC37-4FCF-97C0-9295DACA6BE5}

      Filesize

      128KB

      MD5

      71bdd7ac6744650e9f082c11b80298a9

      SHA1

      67f14e70394ab5509a2bd169adb745559a296b8d

      SHA256

      8f917c7b09ea52be87a52141f47c89beae5008422b3250dbbbad5f9be15d031c

      SHA512

      5e543b025b34a6c7adfb870256d9fa8af07496e199be267918a90f80ddb4e030173efb34e7f6cb417a3b2b170b4a28b85f098b97c90d848b840c98a51c3cda2a

    • memory/1908-0-0x000000002F081000-0x000000002F082000-memory.dmp

      Filesize

      4KB

    • memory/1908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1908-2-0x000000007170D000-0x0000000071718000-memory.dmp

      Filesize

      44KB

    • memory/1908-5-0x000000007170D000-0x0000000071718000-memory.dmp

      Filesize

      44KB

    • memory/1908-55-0x0000000004870000-0x0000000004970000-memory.dmp

      Filesize

      1024KB

    • memory/1908-56-0x000000000F640000-0x000000000F740000-memory.dmp

      Filesize

      1024KB

    • memory/1908-511-0x0000000004870000-0x0000000004970000-memory.dmp

      Filesize

      1024KB

    • memory/1908-512-0x000000000F640000-0x000000000F740000-memory.dmp

      Filesize

      1024KB