Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 19:50

General

  • Target

    60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    60dff2345008f59be49d93a84a0e0b9d

  • SHA1

    0da7ed476a6ebb6f8191958c3368f06a65ec28d9

  • SHA256

    b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a

  • SHA512

    6112d4963d009b9af83325a2f0f388b82a4fc462750885ee6c5e536cc493471d2bda10e1dc730e2df2ae823362cb7f0218457336472e5dbcbb4d63a2984b0d85

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhNREroVeiC9avc:+DqPoBhz1aRxcSUDk36SAEdhFeP

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (2884) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:408
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1812
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\mssecsvc.exe

      Filesize

      3.6MB

      MD5

      3c82571e0ab3aa17efb8fce3fef5df7d

      SHA1

      e1e9b4bfb2fd00cd960b6c149dd2ecb07c995ed9

      SHA256

      c62bacc4507bb21fbfcfb0024ba471706906f65d2f5178699ac2d8da0de74e89

      SHA512

      dbc407336536126159e8e66dc9d04f1c823fd0c423fd8d16ff1b4dad2ed0b4ba7e13d555f26e1d2c3b040dd0e6448f065c52ce32be81bc3841a0f5b8cbb3307d

    • C:\Windows\tasksche.exe

      Filesize

      3.4MB

      MD5

      ae1a32d6d3cc75900702d74bebc95cc1

      SHA1

      fcc6d144365307cbc01ddbd5680aafb33bb43884

      SHA256

      c1b64c007a33c22b52488c11224d8b170cdfbe67fe2741c76bd272ae15a90e4d

      SHA512

      8face209838ecf9ae0bd896690d2313ff608355879fdd425f0aa336a9731c361380b0f6a0adc787ee81f8f52a414c2c23197d3461ac9a457ea9614df287bc4f9