Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
38a3377280ad3182ab1541c841add640_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
38a3377280ad3182ab1541c841add640_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
38a3377280ad3182ab1541c841add640_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
38a3377280ad3182ab1541c841add640
-
SHA1
86b486bbcbeca9d821af505d2c0fde1c3a73ab2e
-
SHA256
3b6f289036c7e924b20c5eb12daa5b902dcc660fc89a99b9fd0024088c9bec45
-
SHA512
8c1740d12db3352ef27570010a42c51fdaa59695ca720b09786b1d1d0e9025da1dc248285c0f6656e31acc8f4f267b228b36698f528db73ce9b09fbd6672b97c
-
SSDEEP
12288:T1bLgmluCti62WfSm0iEcQhfYNVUy7ckPU82900Ve7zw+K+DHeQYSUjEXFGeX:RbLguriIfEcQdIVUacMNgef0QeQjG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2512 mssecsvr.exe 2376 mssecsvr.exe 2120 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\W6F1K4AA.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\W6F1K4AA.txt mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\J2NJ5P51.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\J2NJ5P51.txt mssecsvr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\__tmp_rar_sfx_access_check_259436713 tasksche.exe File created C:\Windows\eee.exe tasksche.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238} mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238}\WpadDecisionReason = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-f4-ac-93-5f-7c mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-f4-ac-93-5f-7c\WpadDecisionTime = f02d21fd77d3da01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-f4-ac-93-5f-7c\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-f4-ac-93-5f-7c\WpadDecisionReason = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238}\WpadDecisionTime = f02d21fd77d3da01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238}\WpadDecision = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238}\WpadNetworkName = "Network 3" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D524176B-C16E-4E4E-83E4-56CE55385238}\4e-f4-ac-93-5f-7c mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2120 tasksche.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 1912 wrote to memory of 2396 1912 rundll32.exe 30 PID 2396 wrote to memory of 2512 2396 rundll32.exe 31 PID 2396 wrote to memory of 2512 2396 rundll32.exe 31 PID 2396 wrote to memory of 2512 2396 rundll32.exe 31 PID 2396 wrote to memory of 2512 2396 rundll32.exe 31 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33 PID 2512 wrote to memory of 2120 2512 mssecsvr.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38a3377280ad3182ab1541c841add640_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38a3377280ad3182ab1541c841add640_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2120
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD50c761ff198ad086294f0a317de3812e2
SHA1fe057de7755461c0595c00a54e5e37b2da29d50a
SHA256befb04b65682bab3d99663901730dde05c298604b9db15bb65fec062865465d6
SHA512d1ed2fe76a390dcaec2d57e0d14ba3413b547cef0a2f6f18ea2ba96be49fc6192d982aa836d5e634027b86b7ff49675bf777d73a752d1795b479fd4ef225ebf3
-
Filesize
2.2MB
MD5a88fd13c373d10711fd23d4893d199f7
SHA1a1b0d0de6b658171b45c4db034bc846e8ef06e02
SHA256c00851c0e0fcadbf5430ff8ad8e68bf453fa5a70d21f6b0d65437f27d7be514b
SHA51213befe2211f6a92f46a00ef6789f9dabc4dcac838a2dff3434698334b6efcc8604c429f16c780072f6985c75776e17b7deb6411fc6bd18606377037e8a33d873