Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3340eec1f90de20b798e5f6c2a7b6434
-
SHA1
ba6ab639f7ddf21da263ac9c7a48572c31d87d10
-
SHA256
2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623
-
SHA512
541fe3301b13d69bf75c738f95919af2cb52e89911c9b9985403179d0d9efe14f8cdfdad8eacc128f8cb4f014a774726db3ab2de36e7c6b335beba53c532ea0d
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:+DqPoBhz1aRxcSUZk36SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3128) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1020 mssecsvc.exe 632 mssecsvc.exe 2788 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4508 2168 rundll32.exe 82 PID 2168 wrote to memory of 4508 2168 rundll32.exe 82 PID 2168 wrote to memory of 4508 2168 rundll32.exe 82 PID 4508 wrote to memory of 1020 4508 rundll32.exe 83 PID 4508 wrote to memory of 1020 4508 rundll32.exe 83 PID 4508 wrote to memory of 1020 4508 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2788
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54f8187f7307f33cd25935f5e880ee047
SHA1984fd9e94a96d476a85ecb69bd08c390f29a3043
SHA2567a76798a97e062a6dd903570e459fdbb9aa4c24410d6cce8fe0de2e9097df571
SHA5127bfa53a6e63dc596a71191df784e09dd435bff9063fe8042c162d0c09e5f4f5713e39b9d32329eaf68cf4ed7fe1ba9e7703d3871394df8663a1ac1ebc3572815
-
Filesize
3.4MB
MD5b91800f044097d66a2956440ade809e3
SHA1163381e41d1665d3325f0081b0feb83f399a117f
SHA256324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9
SHA512a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4