Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2024, 11:43

General

  • Target

    9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc

  • Size

    204KB

  • MD5

    9e39301bebcce3f25a47854bfa890673

  • SHA1

    63191238b7992b09d30a32cfb66883fbcbb9ed3b

  • SHA256

    21e1ef60214dc04018b919609502116286303b4374dc3ac5966aa923fac9616c

  • SHA512

    f6a7331a375346ae6fbc654c3afab6e190587747c60db1c35825d6d8f2c54bf9d4796ce47c4303d8399547265db9210b8a07859d754713afc0426ec0242f872a

  • SSDEEP

    1536:MtPrT8wrLT0NeXxz1DweKHrTPwya5J8b6mKytDTtldNO8wIj:M2w3keXxz1DfiylADTNNqa

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2956
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1496
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2192
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      62bf7fb1656b2b15a7e9dd3ac4a038ee

      SHA1

      0ec23179f437a9e19840be6a164705d400e50b35

      SHA256

      bd04d2455657cc66a6cb75b2a1cfa2f878d95bfb379591d17dce2dc42387eaa6

      SHA512

      a6b10a4e307319981505220d0dc04dcabe698a3e02e75d04deab51bfd8671f919b20c0850f085fad57d07919f30628f4ac69fabdb98d0bbd909bfbe9b7e7c0a7

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{666C0B53-A1BF-4FCA-974B-B66379797202}.FSD

      Filesize

      128KB

      MD5

      c4366415a26e6a59557b00c38d7e4d08

      SHA1

      2a62540ed7e75c3c5126ac0ca520f1d2f89e3d67

      SHA256

      b94dd6634a504dec713988c9ff2f0e8132a80a6c15de1248788d2ca2ba93cdfb

      SHA512

      46d694bf2fc9fe6a53a8cfc688d1d0131604f56c9e01e61e0ef8e6e32fde021b88d73402a83799fd24d6a76fb96bac652731e4104687483f37a8237f93f61706

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{666C0B53-A1BF-4FCA-974B-B66379797202}.FSD

      Filesize

      128KB

      MD5

      7c3a15a735b8e59e35f3e0c4733a1786

      SHA1

      db73aa3fcdcfdd5c2b36a7fa9245b20e5e7c6b76

      SHA256

      d3f47e4e94a5c01cdb543ff908772612e4e967249ae31a03d501402110988af3

      SHA512

      a0c5de8e262da825ddbf625744d0b15dc8760e4cffa23a6a3d2f6868446a3b4dffa2ebacae2f58f50cd8aadcc569177d7d52367ff80f947e10bc16a2b1090f93

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

      Filesize

      114B

      MD5

      8a73b6ff89d8caf2664de113e46fbebf

      SHA1

      fb2aa9686e8a83f9dd945f0ac50d51b6884353b5

      SHA256

      887099ef7402a9f013163b07d733c8845118e678f21becc0446a68aba3b7bc4a

      SHA512

      810874669e18f5ba851aa4ed1c123fccbcce369609c4070bddee48462a31aa3118b85ff62e929326f532f43a58d5a1fcde4e7cacf9b3431c1829b2d936525b8c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      4b1f6bef77792e65360bbe40e6c7f2f3

      SHA1

      98d5bfb52ac788bfb38154ec8705c7501039035a

      SHA256

      80c1e8410a47aa29a4f98fbc8f4f66ff731d2fede0e9e630c8151709d4c47055

      SHA512

      c55fa30a8d19238e9f9091e382f68fb97f63ac422fc3838507ea59b0881e0e718abffeb0f3939f9faf6ed52e206aa26775b3131552f7e344d6ab17925c4c6519

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      33c6b95e7f2b98b83912bec85ca1bf00

      SHA1

      0a937078a69ad736a861e8715e5d926b910c89c3

      SHA256

      f827e877426c65bf5c01ce353f6432d2903748e5b8fbdf01612e18eca9158f19

      SHA512

      38c1f5e2acb78605d108a05083946415b420b817ba9b6008cf5f82ae62f309369a4af1d35b08540ba5352945d7b5f812a7e147bc49b79f294b13203e633615e5

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{154F0D58-719D-4D4F-A365-28EDD19D0466}.FSD

      Filesize

      128KB

      MD5

      7ab81e7de1d280f5d5bf8d3334f35350

      SHA1

      d97509e6f05e20e3ae1ccc514db1cd15d6e0fb61

      SHA256

      5e0d1a412b05f13da62f172bfa475a14cabce22c22ffad254efaf9d167ba9aac

      SHA512

      c1c051a72138bbbce2f159667f9d22df4bdc900c89e8040c6e523c8a8abc83b47367883553f1e999a4b8b48f04525254b75057b131d7e5f17ea1df3ef6ff934b

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{154F0D58-719D-4D4F-A365-28EDD19D0466}.FSD

      Filesize

      128KB

      MD5

      a51974493e5e35ee3e69d12da360b1aa

      SHA1

      55c857144a7e7fcdae6fdf06730480ed0178e4a8

      SHA256

      7a09ec2e8f162db0e745d8eb0167029296400b38d861664c864a30adb6f8bd0b

      SHA512

      f62977527712565cde66b682d943e82315411b5be34021d96dcaa11129ea76987bcb9181c4b3c10b0f8fe5bf304d9ae1167ba612aa9b7e48e273e0aecb270a3e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

      Filesize

      114B

      MD5

      eecfabf7360d8764f66f7de5942ccf12

      SHA1

      59766b9fe5ecd35db7063c9f0166759a9d4b4034

      SHA256

      2bed0894487a6bc5028a09e222a2ea9aaf1e37326e78256f02f4deca993f8e16

      SHA512

      56c23045a3712d776d3b541281795bbb6e4f04fb3deeddd0248921bf0334262a39336cb91dbc1601e7bc35c26b2f1c3502dc3b4d6cdbbb27231898826115324b

    • C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

      Filesize

      143KB

      MD5

      c521d379b38227a61858cb666871fe6f

      SHA1

      6b290b62e9c2805508e76eb34e08872125c7ebeb

      SHA256

      7810c0e79cc82b979f726af3015a276ad08cdfc45ea65aa7dc881941fbdb772f

      SHA512

      46ee97e9b5638d610a9da0c5a96f9d0a99842d43aba959a419877452f895f3bddc483714836182432b9be6f64ec923364fd65a85eb326eea4f8b006ef601aaa8

    • C:\Users\Admin\AppData\Local\Temp\{CA0A8FBA-8F3E-4D3C-900F-69559D076754}

      Filesize

      128KB

      MD5

      efce514216d43ba15e312b99f462aa37

      SHA1

      2d29beaf4954b4403c6e6bff9ad23d95a5dd5f07

      SHA256

      dcab7c7aac1e4b1962b1b0b58cd96f4b7e5df098ac9b8b23c491a54287ca0f15

      SHA512

      78ab7bebfcb592033ee476bf39180739b265b31e70376053b77253af0ac5d0f58d90759cd1ecad316780ccc6e00160deb6fa564427c77b90206a259db1c2eb15

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      aaf0a184045d04c892ff76ec465185e0

      SHA1

      d459b460456caf375eb33377e8f5ad9a83e3bf68

      SHA256

      fa22bb6c288f4e88946481a696c8501cedb5d5de37df15e39f5c69455ecfa894

      SHA512

      fd6954b49233616bcef60fbfe1f1ba5c63a0c975a28306e93f314c231ff9eb829b983918d6d47cd5f075463db49cd360e239a68f86f24e5e58ca2783fc2a319d

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2148-39-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-33-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-58-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-57-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-75-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-61-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-56-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-55-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-54-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-53-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-52-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-50-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-49-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-48-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-47-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-45-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-44-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-43-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-42-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-41-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-40-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-59-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-38-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-37-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-36-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-35-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-34-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-60-0x000000000D380000-0x000000000D480000-memory.dmp

      Filesize

      1024KB

    • memory/2148-32-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-31-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-30-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-29-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-28-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-27-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-26-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-24-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-23-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-22-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-21-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-20-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-19-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-18-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-17-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-16-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-15-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-14-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-12-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-51-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-46-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-13-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-25-0x00000000003F0000-0x00000000004F0000-memory.dmp

      Filesize

      1024KB

    • memory/2148-10-0x0000000070B7D000-0x0000000070B88000-memory.dmp

      Filesize

      44KB

    • memory/2148-2-0x0000000070B7D000-0x0000000070B88000-memory.dmp

      Filesize

      44KB

    • memory/2148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2148-0-0x000000002FE41000-0x000000002FE42000-memory.dmp

      Filesize

      4KB

    • memory/2148-818-0x000000000D380000-0x000000000D480000-memory.dmp

      Filesize

      1024KB