Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/09/2024, 15:39
Static task
static1
Behavioral task
behavioral1
Sample
e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
-
Size
816KB
-
MD5
e725fdbb26a61f9f037406969f2618de
-
SHA1
8c07c84296c35fd93ba0499856f12ee45128cf18
-
SHA256
5170180a716eaf47159bf537707410dfb75dc5e78fbc79e6697f393e2d7a208c
-
SHA512
0972faba8e0a230382ac3ac0fc832e658dece7b2f1774238e2e7525eb86fd4032fc7805844bca427fd6237c8b2502980cc58522aa236d91f05a9d5b15db9117a
-
SSDEEP
3072:hWe51vVRpJMFkstvxxrHA7ZFx+UMFQowJKfpThp+38uEEDUOIg:9st7rHA7xbMeLKDpKwpg
Malware Config
Extracted
metasploit
windows/download_exec
http://104.248.41.209:80/ZXq9
- headers User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2656 2464 rundll32.exe 30 -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 2656 rundll32.exe 12 2656 rundll32.exe -
resource behavioral1/files/0x00080000000120f9-5.dat -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2464 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2464 WINWORD.EXE 2464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2464 2332 e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2464 2332 e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2464 2332 e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe 30 PID 2332 wrote to memory of 2464 2332 e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe 30 PID 2464 wrote to memory of 2200 2464 WINWORD.EXE 31 PID 2464 wrote to memory of 2200 2464 WINWORD.EXE 31 PID 2464 wrote to memory of 2200 2464 WINWORD.EXE 31 PID 2464 wrote to memory of 2200 2464 WINWORD.EXE 31 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32 PID 2464 wrote to memory of 2656 2464 WINWORD.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\fundraiser_protected.docm"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2200
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\\SysWOW64\\rundll32.exe3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5c68c1ea6765df558405c22ece0d77ede
SHA1d969ad70abebf965889918c4afc09dea2b2d78e0
SHA256cffebff44095cf08e9815e1af7620cf56a938dc8bc49bd0e3572dafa7f43e7dc
SHA512acec91a94dfd80227cfe733b60ff74035418d3abbb9d61f042c15b049c0ce559bd40fa7be81c85873c321f9ae78fd04f3bdeccbd9fd4ccf555d209044e760916
-
Filesize
791KB
MD5154dd13d7480c3586911fe3295f1c169
SHA115266197d1ce2d261b60ce986e45ce62fccf6833
SHA256efbe0e787cd9676ed0500cb736038db5bf2d78fcf63d53f3fa7414447ce5fe40
SHA51207cdddf00a09302ea1e17c315d3af62dd93da7e8f70c892d71aecbd7cfb3ecb84882810e3ca8104c46b2e57d92ee42352b232bf2ff9bf4ee29cadfc2427d7f43