Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll
Resource
win10v2004-20240704-en
General
-
Target
430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
430599e85618bd750b5bbfb21cb5f857
-
SHA1
c9ff0c824d324d6047a31eb07da54ba43a0a8b86
-
SHA256
ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202
-
SHA512
579734a994750f09d3cd6feb1d6e5f2793bce1eca37f65cb4fef50c0c908b18248e143a85cbf3d62bf5d0af1e5a4b48faa94dc3e92846e615215276b9322c1f7
-
SSDEEP
49152:RnpE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1p4oBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3576 mssecsvr.exe 1592 mssecsvr.exe 4788 tasksche.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\__tmp_rar_sfx_access_check_240653703 tasksche.exe File created C:\Windows\eee.exe tasksche.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4848 wrote to memory of 2084 4848 rundll32.exe 83 PID 4848 wrote to memory of 2084 4848 rundll32.exe 83 PID 4848 wrote to memory of 2084 4848 rundll32.exe 83 PID 2084 wrote to memory of 3576 2084 rundll32.exe 84 PID 2084 wrote to memory of 3576 2084 rundll32.exe 84 PID 2084 wrote to memory of 3576 2084 rundll32.exe 84 PID 3576 wrote to memory of 4788 3576 mssecsvr.exe 99 PID 3576 wrote to memory of 4788 3576 mssecsvr.exe 99 PID 3576 wrote to memory of 4788 3576 mssecsvr.exe 99
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4788
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD503e8741684a2ea2aa24bad8da574435e
SHA19cc3be4e47aa9f1df05c1fdb8d528cfd09b8b88c
SHA2564128abf9efa8bca93aede9b4a44aab78fab27d634f4c9581c64fa54d3bb8993e
SHA512ff6d7dcc2242f316e31b073a9f662ad6d7bc7c31c6eedfde75e1b16109a1f8c3c70e1de92ee67db62e0561572d53c118240a3a5ec2004c12ed1d54cc3aa693d5
-
Filesize
2.0MB
MD51ff321de9e6b8a865048789e18bb4232
SHA167a548cf33d086c224058ab30c631c04f5dad29d
SHA256ead0300a439be8ea26abc28944d1d3eb3b111ba1b3cad76b3b0f00b26dadd97a
SHA512ab57e6bdce2dd71c49affb8c093384e27d2cec6b4165a0089617098ac30ab00715e0251cc5f96f5710a74215c9eb8804113c177df7deef046d895ac733bba0bc