Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
c2c766e66dced7a69e19bb965bf0481b
-
SHA1
45eb459dc67f151009c6c9391711053601405eb4
-
SHA256
5e9f0f624efcd671113f8db49ae22e3375c90263e4720243c453970fa98b778e
-
SHA512
889108cf0394224ccbbc710c6e8110dcc397648869a1e92c1ee1c75437b9caa15fed4bac4c364c5f0ebdd292a3f189f46536a42660ff309146a7a10680d7cfa3
-
SSDEEP
98304:+DqPoBhz1aRd36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cd3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3342) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2088 mssecsvc.exe 2264 mssecsvc.exe 2944 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1220 2200 rundll32.exe 91 PID 2200 wrote to memory of 1220 2200 rundll32.exe 91 PID 2200 wrote to memory of 1220 2200 rundll32.exe 91 PID 1220 wrote to memory of 2088 1220 rundll32.exe 93 PID 1220 wrote to memory of 2088 1220 rundll32.exe 93 PID 1220 wrote to memory of 2088 1220 rundll32.exe 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2944
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:81⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57d916dfeb71e0b6164debf9b6852cb1d
SHA10814cb797476b59bae059c546971450d04c91479
SHA256b08c75e60e1c3c1a7f6606c36fc4435b7ea6b5a0be9dae9b05bdaa8b04ceeef6
SHA512ee40fdfcede1448debaf427a544fa9813f91c4c69fa0a8fd66f7448f28dafc5ae10e94353009bf0802a59418e672d0eb9fdca6e8fdb783b4c2cdc0beb12b8779
-
Filesize
3.4MB
MD589ce86266f7fec4c90b79efb2069ce9c
SHA1cbd7b3c2f491ba1e9f0d2447abaf3a6c7d4b6a3f
SHA256a6efb3afa0f8ecaf208c62cd7bb3a7c1a722bffc9c726d48a190ffeb3f5e60b6
SHA5120a7b17b181d58f3a648820632a54332542947d2f1d0b5797267104ddbebcf619c03cf4252856d536bb71c9eec1720adcbd6cc7cfb7eba0895073aa59d270378f