Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 04:49
Static task
static1
Behavioral task
behavioral1
Sample
6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6633a19602561d359e76a67a008d62e8
-
SHA1
d823708efa36c4fc6f8ec99dfa8a9741f0205de4
-
SHA256
39bbc42fa1212dc1465776b1c0efaed775c063385a6e6fd9d06cda483558f393
-
SHA512
7706a678184eb50ea9c0525376dda5f738aa1578f2ad3c70e0f54a6820152495ee7036ace388a8b9cebdf17692b71f2df3181d530a1485c53b211b297b9402c0
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1132 mssecsvc.exe 3076 mssecsvc.exe 448 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2472 wrote to memory of 5072 2472 rundll32.exe 84 PID 2472 wrote to memory of 5072 2472 rundll32.exe 84 PID 2472 wrote to memory of 5072 2472 rundll32.exe 84 PID 5072 wrote to memory of 1132 5072 rundll32.exe 87 PID 5072 wrote to memory of 1132 5072 rundll32.exe 87 PID 5072 wrote to memory of 1132 5072 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1132 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:448
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5218cbc67ac8a66aebca9cca90960ead8
SHA119454a65b8253104daf8beb975b4b12b76db586e
SHA256ae167748ed2a30a493121478cf77d1a6f78ffd8a149e4ec627b3af9aea5e0ec2
SHA512010cb8e232fd0b23d36ec39ee8456e1d1e7af7967e6923908e60de8d6671400d827c12cc52d98f17ec450e642150ad52af88c94376e7344b7a85e891d8f00a91
-
Filesize
3.4MB
MD51fd3d102d83758e8317df2380821e807
SHA13709a9b48aee0d6039b4b3581be33f48d4919b79
SHA25601b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88
SHA512db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f