Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 14:12
Behavioral task
behavioral1
Sample
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc
-
Size
242KB
-
MD5
9eae6b73a0f8a48dc55cc29f0a9cac8c
-
SHA1
a6c65371fed53b19e6de8cc542e11b01fe5e5672
-
SHA256
96113b3468f977ecf631bc456b008abbdb8c14a2f934de538d00852314f71d2a
-
SHA512
61db55ea6d15b2dd0ac85fd7524e25aacd527f7f5083979c775eb9490fb65b9305d783706621ee258365096fa90fc2bf780c47f84c197100ed3490a367d9730b
-
SSDEEP
3072:rOw0pklIiuq73/IKBds+gdSGtj2AG0lId0vgGWK8M:rO5pklIo73wA6UGtj2A7xv38M
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?SzfhHx4KqJb1j9UylZHVSkDRuafmm6Ss:xF775711 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\TypeLib\{4FF0B035-EF62-485B-BD1D-78CB985FEB8E}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\TypeLib\{4FF0B035-EF62-485B-BD1D-78CB985FEB8E}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4FF0B035-EF62-485B-BD1D-78CB985FEB8E}\2.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4FF0B035-EF62-485B-BD1D-78CB985FEB8E}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4FF0B035-EF62-485B-BD1D-78CB985FEB8E}\2.0\HELPDIR WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2812 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2812 WINWORD.EXE 2812 WINWORD.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2860 2812 WINWORD.EXE 31 PID 2812 wrote to memory of 2860 2812 WINWORD.EXE 31 PID 2812 wrote to memory of 2860 2812 WINWORD.EXE 31 PID 2812 wrote to memory of 2860 2812 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9eae6b73a0f8a48dc55cc29f0a9cac8c_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{73BA3E89-D341-4FCE-97D3-44BE8397CB87}.FSD
Filesize128KB
MD55c4e1fe4578e639c61009de32ef21997
SHA1e60c298ff2c9c1e4f49836ebed9b7a58747ec016
SHA256cf04864aed2abf1338f6b916933f3e9300bcd488c14c0f61b19b419fa20f9452
SHA51210f471cec453eb0f916400deef8b774c2317574820dc8517c41d7bfd295faba7ab13635f6f9f5a3b37b0464773b5c6d19ef9127ca8ebae42dfd475e10ed6b090
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD561cb9d056eeb113696d6bdc1f3248700
SHA133630433213f7a522fa99e8b6f2742a866f5ec72
SHA256ada23bafb7e9679fd5cb74d0f47ec258bf9d7ec260d1c10a4d25f1da840197fb
SHA512f4de57642381944fafd2b5cb1b9b82d27d234a9cced08fa51b84c14d8527b032ea7969cacf1a460c0f6fb4371a961a0b8f45b3e978e3eacc9dbb827769acf71b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DE8649E3-E715-4EC2-A293-B43D9B1A4141}.FSD
Filesize128KB
MD5c28e5bd18f89679cf64effda45fd4fb2
SHA165335211fd31493c2c8042461ed9cb282e9c9acb
SHA2566639bb604ff415982e2d4e428c66526f8f51886a8d5db9cdd4196ddf969df6c2
SHA512e418ec1c12b630c5613649085390a172c09cc9b30510b6d0fd2d948ab14a649701ef1723752cdd4a4e6f9e221bb936bf9156e88d7445f1c44655db5238871e17
-
Filesize
128KB
MD5cebfc1fed29a5b38acf976ff74e95e2d
SHA1356c5308cd51e1e3dbd1236bc32eea50f13af2ea
SHA256327f62b875fcc4e4dc9166de7ef006d2864077e2ffe9a468a4d129877d89f9d8
SHA5121425d84048f232113f605f73e2abf0e04cdbf0bb01ef8b55afb4e792e7aa0199bf8337ce60466299c32157a546d9de58800c1e0dd02ff7880dee29e2db74d3a2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84