Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 04:17
Static task
static1
Behavioral task
behavioral1
Sample
70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
70d5a64d5c2a642f64a80762e3334e2d
-
SHA1
f78269fb31a6ffce0fec200e59c546fc6113eae4
-
SHA256
f3f54aa74f08e3296c2739abb0f8acfe23f3b23147e668a5df63af15f832a42b
-
SHA512
65bf9a81e2189bb1c3067a6491ed1a28bfa035755ad87f5dc45b66ab21d38b49b4eb7e05cb3c0019944119b99f20a48b2c9158d5fee474adf75692a78fdfa706
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:d8qPoBhz1aRxcSUZk36SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3072) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2684 mssecsvc.exe 2940 mssecsvc.exe 2676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2012 2256 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2684 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2684 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2684 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2684 2012 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55617da4c2911a0c6768d790f0e0c88a0
SHA1ca7614c80676b4b5e7c224e3c3f5b87c4aa3454f
SHA256e15997d60c507a0f996572c2e5433619f38d829a66cd7ff24a0f53431617c359
SHA51262cbb5af46d4e41fea974af54d6546d9ff13af1a31c14fb83fa2d9d0a6a7cf7ed6a05bc775a0ce83ae915bf9a435fd23599ad0ba33ba96ef863a2fc47e5cf9dd
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b91800f044097d66a2956440ade809e3
SHA1163381e41d1665d3325f0081b0feb83f399a117f
SHA256324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9
SHA512a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4