Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e6a03e920acc645c14f7a4bb173c89d4
-
SHA1
bdb6d7ff74bd06d17476ba67714473bdd5fdfe50
-
SHA256
a5832d6d06e0db070701957dfed2a564ea5e9f3744099c46001a9539649bf818
-
SHA512
e056cbac3dc497fa4ec1be486cd29d8a926a36df87a3bcec422d74a528f4e0706569db91fead0dfd0383d88120a798a978f1768a9c2678482e663de23640fce6
-
SSDEEP
49152:znjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:T8qPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2332 mssecsvc.exe 3060 mssecsvc.exe 2516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 1668 wrote to memory of 2296 1668 rundll32.exe 31 PID 2296 wrote to memory of 2332 2296 rundll32.exe 32 PID 2296 wrote to memory of 2332 2296 rundll32.exe 32 PID 2296 wrote to memory of 2332 2296 rundll32.exe 32 PID 2296 wrote to memory of 2332 2296 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ca9e084bc47a42f3c5f15fb4142bc467
SHA1a8a43bbd4ef43b4faff94cff5a17ac42e2c2a95c
SHA25690d39c41e81b12de191406fb75263d208f5e7841b47bcf77d7fdd4156f8bc1af
SHA51249bab5ea4328897e57d4d22240049e5174fc9520c08f16ae2071e77acc10119c24a45c10393cef052370250356dd5c7b50a23456b8b33cfe2cdbdbbdf6841a42
-
Filesize
3.4MB
MD5ba8922fceaeed80297c3c391c8844b70
SHA12ef2a451fbcd42a938ae3d7bfad93dbc8ebe144f
SHA256e3825cad783a302902576ca4cfae9fdfc8640a012876402c89e7dd22475cda91
SHA512faee2d00623ab8a0db455a4b26074faed6da189220630f5260c331ed3d7f633f4cb253efaae25101c64ca836bea92b2de9e8c18614da483d4614b2e176d159bb