Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
c86e15085144ad16a9a62bb67c4d4042_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c86e15085144ad16a9a62bb67c4d4042_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
c86e15085144ad16a9a62bb67c4d4042_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
c86e15085144ad16a9a62bb67c4d4042
-
SHA1
15d3174e8b8f3dd171ef5fbc463fbcf6b588f60d
-
SHA256
6a3f3dbadb3325deed042ff9f91ccc369e84d82a32c48bf2ecae3f2973adaa1c
-
SHA512
89c34c1fb3671f03a1d9e7dc86cce920bece27243abaf15f12acabe95cdaa3e25dae16aa04dab8b581667668e8f426f3998fa75e1449e35e88c7f28a70a56e13
-
SSDEEP
12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:SbLgddQhfdmMSirYbcMNgef0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3303) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4440 mssecsvc.exe 4972 mssecsvc.exe 4944 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4308 wrote to memory of 396 4308 rundll32.exe 83 PID 4308 wrote to memory of 396 4308 rundll32.exe 83 PID 4308 wrote to memory of 396 4308 rundll32.exe 83 PID 396 wrote to memory of 4440 396 rundll32.exe 84 PID 396 wrote to memory of 4440 396 rundll32.exe 84 PID 396 wrote to memory of 4440 396 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c86e15085144ad16a9a62bb67c4d4042_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c86e15085144ad16a9a62bb67c4d4042_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4944
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52dd2f810f4a7a89c3488d7be73169d12
SHA136635df9fe5148f6e11c2b4021c70b4dd204e2a7
SHA25605cdee7b2e4c71f6adc2676a29ad3b8b164bb8a29f8e36c046e2502290649f84
SHA512d1dccc472c0c0aedff58403d7e08c65f62414b53695282dc8b9f59c593ab6fbfbd3b77726e87c5258ca4700686fb27a270677f2e2b4384555dfc5bfb34e590ad
-
Filesize
3.4MB
MD57f51e2c3f9cd8c9561e549d58508668f
SHA1c7e69712737307515a3d56c5d25d43e968130d46
SHA2568a5c69817d0b09acfc0ae921969b0607d6937ade6898f6364bced0341843cd52
SHA512fcea49a0b7596e0bab3289b3b68c23b681f952ba8cc8432fe85393fbc5acffe4bb10d7425aa7e3dd510fb73903945e8e978023d2ee090e26206d91975cf6b39a