Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
60dff2345008f59be49d93a84a0e0b9d
-
SHA1
0da7ed476a6ebb6f8191958c3368f06a65ec28d9
-
SHA256
b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a
-
SHA512
6112d4963d009b9af83325a2f0f388b82a4fc462750885ee6c5e536cc493471d2bda10e1dc730e2df2ae823362cb7f0218457336472e5dbcbb4d63a2984b0d85
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhNREroVeiC9avc:+DqPoBhz1aRxcSUDk36SAEdhFeP
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2884) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 408 mssecsvc.exe 4128 mssecsvc.exe 1812 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3532 4596 rundll32.exe 91 PID 4596 wrote to memory of 3532 4596 rundll32.exe 91 PID 4596 wrote to memory of 3532 4596 rundll32.exe 91 PID 3532 wrote to memory of 408 3532 rundll32.exe 92 PID 3532 wrote to memory of 408 3532 rundll32.exe 92 PID 3532 wrote to memory of 408 3532 rundll32.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:408 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1812
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53c82571e0ab3aa17efb8fce3fef5df7d
SHA1e1e9b4bfb2fd00cd960b6c149dd2ecb07c995ed9
SHA256c62bacc4507bb21fbfcfb0024ba471706906f65d2f5178699ac2d8da0de74e89
SHA512dbc407336536126159e8e66dc9d04f1c823fd0c423fd8d16ff1b4dad2ed0b4ba7e13d555f26e1d2c3b040dd0e6448f065c52ce32be81bc3841a0f5b8cbb3307d
-
Filesize
3.4MB
MD5ae1a32d6d3cc75900702d74bebc95cc1
SHA1fcc6d144365307cbc01ddbd5680aafb33bb43884
SHA256c1b64c007a33c22b52488c11224d8b170cdfbe67fe2741c76bd272ae15a90e4d
SHA5128face209838ecf9ae0bd896690d2313ff608355879fdd425f0aa336a9731c361380b0f6a0adc787ee81f8f52a414c2c23197d3461ac9a457ea9614df287bc4f9