Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
777295af47127697b18eb864656e5dd0_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
777295af47127697b18eb864656e5dd0_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
777295af47127697b18eb864656e5dd0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
777295af47127697b18eb864656e5dd0
-
SHA1
c5103eb13aefab7274962714a1fa8fcf7d0ee480
-
SHA256
0666b7b6f571a154ac43341c86bb48c80bda2649368c01d183a660d5e841d0f1
-
SHA512
0628236b1e839aa4038f405ffb387e0cb68b7a8a796777299fbd5ee8179509f21987d0ba7d80a8fc7ee44e375e595087be2540e76e5a9c5a0f78f271ad1fd573
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:d8qPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3211) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2520 mssecsvc.exe 836 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 2808 wrote to memory of 3048 2808 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2520 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2520 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2520 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2520 3048 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\777295af47127697b18eb864656e5dd0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\777295af47127697b18eb864656e5dd0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e192322d75d1d2809fad5930425b7bf
SHA1ec45f0c67dc96b607e05c33db23556b7e943f50f
SHA256ab1411761ecbdfb7be678a5bbd8078775ec1e6896cd3de68f691a0f97aa717a1
SHA512fbe3c54037d3e71fde4023f2a63b03b9a253d7b53555a766c50243bf8803388d9c0bbe8ebf23adf55523dbdca4c7acac35a6c461765bf3a21463361cb355b46f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5967b2c05787f5353452c45b7cb9f2f9c
SHA129dd704d736249a471df7da340c84a0180e55537
SHA256e530782aff9d469d892a0687aec278a8ac0ffedb46869e0aae5e9184c0c83923
SHA512090e832fe0954a7f56788a640882b8cb8b34786f02d3f1d4e48f73d3c7c51b87df973b804ef7bf22a0d1d853ef4b1f8d49741161a7a7cc4d7032db6446beacc3