Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
25fa333121c25d65f611f5c2ce1fc140_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
25fa333121c25d65f611f5c2ce1fc140_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
25fa333121c25d65f611f5c2ce1fc140_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
25fa333121c25d65f611f5c2ce1fc140
-
SHA1
d424d450274385c3a52bb075e50e78cf28fd357e
-
SHA256
a641d724dec27e78a2af50a943f1da6e75dcb6949590a246183d889aa8d2c7b9
-
SHA512
923b13f60a1aee8139b1442f7ae2b9cfcea545808346a79ed107adbf017b37054ced404aa241385142688372f137d819ea5d45dd068675a4a589ad6dfd2d85b1
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P59:d8qPe1Cxcxk3ZAEUad
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2608 mssecsvc.exe 2976 mssecsvc.exe 2660 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2852 2848 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2608 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 2608 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 2608 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 2608 2852 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25fa333121c25d65f611f5c2ce1fc140_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25fa333121c25d65f611f5c2ce1fc140_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2660
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f590db1e4d349d111ce766152b281b15
SHA11329eec616e18440b1368387e6d713054deb0ad5
SHA25640b1e53710a288ce96d594717b478bf5c5f73dd8fd6462f1d93ef0862bd63ef7
SHA512250c7c390fee5c06eb8e2989f44df45582643fc46c68ad6c4108783a134b83780361c645194a56ebe254b3ab39537597476c4add566c4090c6ea26587c68e06d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e6261ba4378452a35591144b492e4997
SHA167b339c993e9a3aaf998b6f1f5456053700bcd5e
SHA2566a7f6729db488c2040611485dbc9597b0d4473fef9e82d5f7fae7afb82983767
SHA5126d90342d690e564c155133be2ef819edb36635c802092cd99a62a784e33967a06e169394bc338ec66466e3658b63050d0d3a9fe9949836d430357bd392c783c4