Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 23:18
Static task
static1
Behavioral task
behavioral1
Sample
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f70dc6617585a6cdb57999cfc7e35983
-
SHA1
fc392f28ffbf4adee56869067d25d8a7d33f3d1d
-
SHA256
242743baf453444c89c5c31203de59b2d6af0a4fa9bd7e7de9b7b52c6414376e
-
SHA512
1b904c5fd57e9a8e9de4034f4b9f9200addf9222bb258802f8eb915dca4312d78a490446d27ff0b78dd12f95379b9b15d9138f2fbb124312410e8e9bcbba30df
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:d8qPoBhz1aRxcSUDk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3003) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2824 mssecsvc.exe 2788 mssecsvc.exe 2304 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 2240 wrote to memory of 1800 2240 rundll32.exe 29 PID 1800 wrote to memory of 2824 1800 rundll32.exe 30 PID 1800 wrote to memory of 2824 1800 rundll32.exe 30 PID 1800 wrote to memory of 2824 1800 rundll32.exe 30 PID 1800 wrote to memory of 2824 1800 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2304
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5902499be1f74facf8df615deea83bd63
SHA15ee5d0c7bdbf779838b3228267228de3c45bec4d
SHA2563c75131419934c7b16f9721abdef7a5cd57cd20cea4757be3724b36c84380cf2
SHA512fef964c845505b1695aab6b7e983a962206e1e95d5ae30556cdf67fdffd8f5c01696672429859aff5612299a7f69803b531591427f507bec819e8442d134332f
-
Filesize
3.4MB
MD5db73e31441cfcb4e3df4f90abf93be58
SHA1cec5b1d186ac29e9de354232e7ced75cfaa7dbcc
SHA256ec7921ced5b4b6e1a2466938f5bbbcb37bdbe3e18231bfe474829619427a46a2
SHA5129469b87f95b82afc2b17843cc120585dd4e915bb560fa69e40a54cb752392a339181bfa6923783c63e418ffcef6ed661ff7fc7689828a13732a540c788642861