Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f9b9aad8bb1108f11027ad0d7989255
-
SHA1
a10f8db721d73de38223e632f8d08ab624dfaafc
-
SHA256
5c94ef973899d21ac81c5563770ca61e5ff920a342dfb70ba14afb71f41b300b
-
SHA512
eea0cdbdaad27ac5230d8042708fa8ff8c8d7bec5c049703a741358024136a75dc1f96fc398b5d6f3bd9c09b4d9c47e1049e072badbe82258933c845ddb760d4
-
SSDEEP
24576:sbLgdeQhfdmMSirYbcMNgef0QeQ4kRiwKt/8uME7A4kqAH1pNZtA0p+9XEk:snjQqMSPbcBVQeRkRiwK3R8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2356 mssecsvc.exe 2632 mssecsvc.exe 2532 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 1340 1712 rundll32.exe rundll32.exe PID 1340 wrote to memory of 2356 1340 rundll32.exe mssecsvc.exe PID 1340 wrote to memory of 2356 1340 rundll32.exe mssecsvc.exe PID 1340 wrote to memory of 2356 1340 rundll32.exe mssecsvc.exe PID 1340 wrote to memory of 2356 1340 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2532
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54ca4353c3cfbe384e69363b4b7a5dbe2
SHA11df0dd886f513c93b5167cc0754fcef576aca251
SHA256c91593bed9abb9e0865f56f091d01cadeeeccc5f0288cfa516708f08aa2797e6
SHA51263130908660d8815b8a0d3e306429ed6bb34fa30236009751f8289f5f2fc0d6fb1bdacaae6e7158395553ce3e60b6d37460c01e0174d34401533e65c73e849fe
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53d6024b2c052a24a93c276098db1cb66
SHA1cace901d8d4e42c8df146d2a79b5abab452fb9bb
SHA256dd875e666f84d58652b2dd9280002d93b76e307a9ad760dc0eba1be0597449c3
SHA51282a3330f8c3cb2e2a26c67ae85ff3b9ae548149cd31eeb85aefcc818f05483f6b1cebbd7d94d26a52f139e3d792bdb6e73baaab7695ce2d5430d79cce645afce