Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2024, 19:56

General

  • Target

    9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc

  • Size

    242KB

  • MD5

    9fb8f190cf9a09ae7cd816b57d855a81

  • SHA1

    204a1e4a4aecd9c1ae6049ef8e3321a927d4b818

  • SHA256

    f0fed1ff71be6ad4d5043edcffddeb395e33ab65a9a7bef091179e40ec271c63

  • SHA512

    e3705a50747577abdfab20c10deef0defea010bce65abd945fbeeda89e5396c48cc13ffee544b2aa2e98209a269670270c9d4fceac81acde0d76517ff3054c8a

  • SSDEEP

    3072:hvw9HXPJguq73/IKBWy4wdS00nUl+8KRiSL31:hvKHXPJi73wALU003ii

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9fb8f190cf9a09ae7cd816b57d855a81_JaffaCakes118.doc"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2116
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • Abuses OpenXML format to download file from external location
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:1880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3708375B-DE34-4ED1-95B4-103F54E91087}.FSD

      Filesize

      128KB

      MD5

      f393c95dfa442a16eb1ba3184da8bdb5

      SHA1

      7398ec13774fafc6d6cbcba57f22caf71f0ccbd0

      SHA256

      4a5a42fd09f5a63e3538f7875fdcfd6514b88ea7c125391439513a9d28077ea7

      SHA512

      001a69bc0facceaa960000872d964a78c3f6c7e1f9676381fff9d17edbef6886667976d1e39e50bd227ac7e1c5462141a87739ac9977136ea7ce94d5e0094791

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d8ed2f4bc4baf65238da7f4c9bea7783

      SHA1

      294bea335e2334518324b3012fcd31b30db3f6a8

      SHA256

      c6380d66e528f7573073fd98b5abb583de818c5c9cb64ad666287b0b6e2c045f

      SHA512

      b47d4494baad00c314f737f24c8467330a1e8b94e344d4a8d370b0d070fde11796b4876d74099d257732adf3cfc21212484413e0988ba839b62fdb4dbbfb433c

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B6922913-2B1A-4FBD-A35A-FDECE7D05E65}.FSD

      Filesize

      128KB

      MD5

      8ba2d70d29466ea68433a2c3da4ff1ba

      SHA1

      073df3e38a2c2a6b0aae8f2e59a5c7517126259d

      SHA256

      e64581b47b1e85b9114d803dbfa6c138ce4695fbd56e68ea1e1d1c7e1580e09d

      SHA512

      5b9a7011f5eefdb745fcf99bbefd5bb444d518058e044d36f4d07afd78c5e73caf3008bbe5f1d61625d059cbf10348b6d5d7bca46e2a4fccb9138f6634ecca44

    • C:\Users\Admin\AppData\Local\Temp\{919BFEDB-6297-40ED-B99A-3C20A2558A63}

      Filesize

      128KB

      MD5

      d9bcbc3dbfcaf221bb4b7c57a540050a

      SHA1

      923afcbc0e817bc97453e711cef792ec18339698

      SHA256

      fe99e0660c6037e386008da071cb0316eb6f39cbf83853933bcf49a7fdc9f95a

      SHA512

      033ef724b260c325762be874c58ddd891681a4b9ea4afcb565cc56df52b23da35bf1edd2f51b772ffde664b08e040f46f4ab8066cc101f0e005f6b1b67f004fb

    • memory/1464-94-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-91-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-108-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-104-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-103-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-102-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-101-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-100-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-99-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-98-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-97-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-95-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-0-0x000000002FD31000-0x000000002FD32000-memory.dmp

      Filesize

      4KB

    • memory/1464-93-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-92-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-122-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-90-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-89-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-80-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-55-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-96-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-88-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-71-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-58-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-511-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/1464-512-0x000000000F650000-0x000000000F750000-memory.dmp

      Filesize

      1024KB

    • memory/1464-56-0x000000000F650000-0x000000000F750000-memory.dmp

      Filesize

      1024KB

    • memory/1464-5-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

      Filesize

      44KB

    • memory/1464-2-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

      Filesize

      44KB

    • memory/1464-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB