Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
b4d6c30783319492a578d333806977be_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b4d6c30783319492a578d333806977be_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b4d6c30783319492a578d333806977be_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b4d6c30783319492a578d333806977be
-
SHA1
7efe66f619ae1501379dc7cee63c68a07dcafb1c
-
SHA256
645b428bf5a29d365ff98b1fd45ba399c0e00b3da93a8d7cd1e3a0310a3594c3
-
SHA512
ca6ef14ec240115362b4738d23970ee9967665929d6752b8238109dd5f0a90e7766dfedc00c644ad6047c9e3fb970a3b2cc5c5ea1768a5bdb6d20c3d0bbac41e
-
SSDEEP
98304:d8qPoBh3RxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPkxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1668 mssecsvc.exe 2192 mssecsvc.exe 2128 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1676 756 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1668 1676 rundll32.exe mssecsvc.exe PID 1676 wrote to memory of 1668 1676 rundll32.exe mssecsvc.exe PID 1676 wrote to memory of 1668 1676 rundll32.exe mssecsvc.exe PID 1676 wrote to memory of 1668 1676 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4d6c30783319492a578d333806977be_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4d6c30783319492a578d333806977be_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2128
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51b01c6695e40d7b1debbc89b11ec9b05
SHA1c34816e9cf97a6c1fc5ef65d6222b7dafa662b14
SHA25649c34f1c874a7cabd10b935a0da2e00ac296eb0087e0101107285ef799f7ce05
SHA512af8b68369020c73b75440febba549bafb57250ec09d6fade21a05e4c9975f98e094e773b250378fbfc535fce94e138758bf8ac97297cff172be7587e59c741b1
-
Filesize
3.4MB
MD5e1961629be16763d1b5649d963b7999a
SHA1ef2a07f6f4ce435de3f5ce479eb145db6755a73c
SHA2567bd280c072ea682f2b69a4f91ca7b23b03977aeb85db9047af11a2af6bc6ee37
SHA512b2010a78d0319a82e0b89d5d2fa7a353a75c329344b05e94c9e241de49c7d8ffdd49c4daea6085ebdf9ae5b52248c4734146385718def76b7b407a0264d800ee