Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 09:04
Static task
static1
Behavioral task
behavioral1
Sample
599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
599ba047a5f78a122a99547862b692f8
-
SHA1
5131f90bd2a8831034da0c8ae81812f629c2d51e
-
SHA256
83c499d4faeaf878a311c1f68ce8795a86d46f9bfc1599010394aa3106daba60
-
SHA512
ff6ba51959950b510ad3805680cda5bcc2676454f73ee2bf1ccad41610909365e4aedb15bb9681c602bdbb051d4196a1d859182cb6c3ad24b75756b043d7b57b
-
SSDEEP
98304:d8qPoZ1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPU1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1664 mssecsvc.exe 2476 mssecsvc.exe 2516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 1884 1728 rundll32.exe rundll32.exe PID 1884 wrote to memory of 1664 1884 rundll32.exe mssecsvc.exe PID 1884 wrote to memory of 1664 1884 rundll32.exe mssecsvc.exe PID 1884 wrote to memory of 1664 1884 rundll32.exe mssecsvc.exe PID 1884 wrote to memory of 1664 1884 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1664 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f5efcb9578e09bd52832cd8f54c48412
SHA10d9f160b17f83003017df029ac882d9063815b0a
SHA256e3a2eb6e22f140e0643c9de6a2a9b6647326cd8209e4e1fa170a96b129399c8d
SHA51292b3e8127c16e59a3589aa3795e0dd09a1fc803be8138f75b679eb9b8085b81ce8e25908f279b17237ebcc9f87c0db615a2dbb38cd42c01115cd0cc1a7bbf5d6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55447d9c6b5aaf314fb733eefe6213c1b
SHA10df4c25989b33da04b52de59a39d90ea7940e790
SHA2565cf0ed45cf93cf6112099e3eb6b3b5266a1b180df9904ae18f9699430984f289
SHA512646463f50172d247f4f70901e864b36728616997f4dd478a861032e32b45b2335eaad02980c3e61987ad5b29a7d26bde286b3567efe748845a1f1e38768df940