Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
be376452707de19a4abf88da57dbd3a2_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
be376452707de19a4abf88da57dbd3a2_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
be376452707de19a4abf88da57dbd3a2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
be376452707de19a4abf88da57dbd3a2
-
SHA1
4faf9ea5ffea32f7b09f666bc2bec21f4062cbd5
-
SHA256
464d83ae52e2c6428504335d44bf79f866757a1d47281a1f1d4a51acc32e25d4
-
SHA512
a4203e37fbdda7da6e4893b7d6b2fd66526bdd70be28ba69b1df291cbd05129c5059707f78d968acf418f6281ae578cf6a58d2fc2d4142c71ff35d66133507c1
-
SSDEEP
49152:SnAQqMSPbcBV3GGafYzflm+fZTFZIGayscOqdImwW6LC:+DqPoBQ+iUP2dWOC
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3143) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2000 mssecsvc.exe 640 mssecsvc.exe 2396 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4064 wrote to memory of 5008 4064 rundll32.exe 84 PID 4064 wrote to memory of 5008 4064 rundll32.exe 84 PID 4064 wrote to memory of 5008 4064 rundll32.exe 84 PID 5008 wrote to memory of 2000 5008 rundll32.exe 85 PID 5008 wrote to memory of 2000 5008 rundll32.exe 85 PID 5008 wrote to memory of 2000 5008 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\be376452707de19a4abf88da57dbd3a2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\be376452707de19a4abf88da57dbd3a2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2396
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD580824697873235ab2e3020d850ac67a4
SHA11a65d9a772031fb20c0ce446712771fca2ffe3ea
SHA25626a3c75e42db705cbd28d71270febec8b106534bea2c2ee9bf290f4e8fe6a537
SHA512e12960dfbc6fa7fa03aee3a13140b0900735138f2ce11ce368a915bb241805c5af7b12cad6b8ff3d0b09aac79b1da2a0580a1018df77fa0deeae913172a834c1
-
Filesize
3.4MB
MD5719bb92d7efdbb351531331f1864e945
SHA1851c16a405445e0b3a0596e8e98f55e0b4dd7214
SHA2567792387162752d9260ee5bbb228c11328269853ba473b6682931f1b7c6a9c176
SHA51246a6e02f763ad37c7580fedb4b9d8c21522d88bd90a227cf50f51ae6ae29af55d2ba5852d1282cabc7d0e76d93ca478319db4ffd1950d38c09dc447102173ec2