Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6aa433b987f747ea18bd1daba29b19a6
-
SHA1
c4a60a470025c45d224276be50fe9ac8370ddee1
-
SHA256
e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f
-
SHA512
f5939aa010fc822d3b2017d6091b802f27d96f01c914b659280a862cb11b453a59a379772795c199c377171fc35dcc6208a13c2a716137aca7318bc5212c21e3
-
SSDEEP
24576:ObLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKt:OnjQqMSPbcBVQej/1INK
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2020 mssecsvc.exe 2764 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mssecsvc.exemssecsvc.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2020 mssecsvc.exe 2764 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 47 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2020 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe 2764 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 2020 mssecsvc.exe Token: SeDebugPrivilege 2764 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2368 3032 rundll32.exe rundll32.exe PID 2368 wrote to memory of 2020 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2020 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2020 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2020 2368 rundll32.exe mssecsvc.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 380 2020 mssecsvc.exe wininit.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 396 2020 mssecsvc.exe csrss.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 432 2020 mssecsvc.exe winlogon.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 476 2020 mssecsvc.exe services.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 492 2020 mssecsvc.exe lsass.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 500 2020 mssecsvc.exe lsm.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 596 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 672 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 672 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 672 2020 mssecsvc.exe svchost.exe PID 2020 wrote to memory of 672 2020 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2024
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1072
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1100
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2104
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1664
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#13⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b2b0bc696271321075d678c832b9db9c
SHA1801343b88e1e276da1585564bcf22b9f114a48c0
SHA2566729590951a87257c5509e08c3d6c12ecdc78645e478c387d660663fb93087ba
SHA5123106db6137ec2d32e83c6024261878f2bbc2016e95f5213c4e6bdca8d792ca36e0b574fa85d57aaa46de5a91b9759826a72ab3b7f08e54737d0fd7fbb86e569b