Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 08:14
Static task
static1
Behavioral task
behavioral1
Sample
6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6a4efb8c17327b22a4eeb67080917079
-
SHA1
0fd519b3da2402d53075f8a2dd4b7d56328c70a9
-
SHA256
22ddd844eb93a423794a7899e15015b60871def49f9973f06c37c68a639dd0ca
-
SHA512
8b39bcb332c9605545d6656eca8b7e9660db276ada00cf8eab1289f9ee21da4631c5ac1c3d720854745951a206a7396a4d997132abe4d7d3feb5a5f8275c3d9a
-
SSDEEP
24576:JbLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmi:JnjQqMSPbcBVQej/1INRx+TSqTdX1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2212 mssecsvc.exe 2228 mssecsvc.exe 844 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2040 1764 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2212 2040 rundll32.exe mssecsvc.exe PID 2040 wrote to memory of 2212 2040 rundll32.exe mssecsvc.exe PID 2040 wrote to memory of 2212 2040 rundll32.exe mssecsvc.exe PID 2040 wrote to memory of 2212 2040 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD517977ba1ca086ccd84aada0e7bb51286
SHA1af5410554ea45be32f144bb653492e568f74a35b
SHA256447b5ebea929be23d5cd952fedf51fd0f9ef7df6f65d411723fc4110a66b955b
SHA5123f94168ad4dce69f6ef25ef6c93fd898048b17c8c3afed7353e1430d39ba43fad52ddddb172a743897586d51fcda29d98ab94ebfbc29e98b191a79ab748ae948
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57a197ee3214806f5e77b7f3a10509a4b
SHA1df87b86ecb3fb97f49500d017ac887ca35e4d169
SHA2562225c3d46c50b02422c57e516239000eaa2224115067693aea57165a59c6d5e9
SHA512b9ae9ab9d49884ff9d7b59ffd63deee132f9340d6193c16df96913afbeefe170776e8b6a1c62fece17b32f95210903f299da83a446bfaea2b0f22b6330c63a88