Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 22:20
Static task
static1
Behavioral task
behavioral1
Sample
6d0270440e080a1b40a9389a830eeb54_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6d0270440e080a1b40a9389a830eeb54_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
6d0270440e080a1b40a9389a830eeb54_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6d0270440e080a1b40a9389a830eeb54
-
SHA1
650413cc676c3c6020f997fdcda7a222531d769f
-
SHA256
33b06096ea66dae40a349d477d7daa7a6616b8b9e11ba2f14d183e0cea553d3d
-
SHA512
e4bc2729c914a9b91d397f499d65f55a5bf54452763ed70aff78cee442e31d39e8bfa492f2ed5b923acd038f36669a5e9da49906d0527e2626fb7bb6c9ec61ae
-
SSDEEP
98304:T8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2444 mssecsvc.exe 2104 mssecsvc.exe 2356 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exemssecsvc.exemssecsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2080 2032 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2444 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2444 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2444 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2444 2080 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0270440e080a1b40a9389a830eeb54_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0270440e080a1b40a9389a830eeb54_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2356
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e6012315930c5b2a7d584e704ac5fb8c
SHA1777b3a7aaf869da2ddff6b63c6e2587317d550c5
SHA256df7bb854097066e444e43f2efd1d0e44a81b2f2ff59c8fa294ea1a9ea047fd7a
SHA51249c6d31c4257cf0914e900b83c32cc53149282b56603a1cf92f810e8266fe69480a8faa87bbc0f4bab71c70812e582c899878971db38919138416bb829073165
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7