Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 22:31
Static task
static1
Behavioral task
behavioral1
Sample
0636efc4ba52127196acae91afa113e2_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0636efc4ba52127196acae91afa113e2_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0636efc4ba52127196acae91afa113e2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0636efc4ba52127196acae91afa113e2
-
SHA1
be34539aa752513108b5a4f5fbbacb91835e74f8
-
SHA256
8bbab918a16a0d1f71a56893042b37d9bccba90e5b04c074ed8bd4fd755cc02f
-
SHA512
da78c335edcc29715f8527f503f57cffd46b3417fa69eb55d16ccec369e0c8a8cff342c89afba06f96f4a542b2600070bad03211f728d3840c8eb84b4bd18f9a
-
SSDEEP
49152:snjQqMSPbcBV1+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEau3R8SSS:M8qPoBfcSUDk36SAEdhvxWa9P593R8w
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3200) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2092 mssecsvc.exe 1992 mssecsvc.exe 1124 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1072 wrote to memory of 1104 1072 rundll32.exe rundll32.exe PID 1104 wrote to memory of 2092 1104 rundll32.exe mssecsvc.exe PID 1104 wrote to memory of 2092 1104 rundll32.exe mssecsvc.exe PID 1104 wrote to memory of 2092 1104 rundll32.exe mssecsvc.exe PID 1104 wrote to memory of 2092 1104 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0636efc4ba52127196acae91afa113e2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0636efc4ba52127196acae91afa113e2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1124
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5286c1218a09064d7b7870e9922de0992
SHA1c0a7f67b68f32f4490af76a709ebe5fb1d9b5da6
SHA25614fd8c53e6ab15332f71b1612e9da102830e4ae38236ff41c12784dad899920b
SHA51238f401791cd69f73aa9c919b711b47710c4ca24571669cbd9ba9cde9f4b488ce9d1d687a42f5985a4ec9292a588361f722a158961b1c60fe41bc8962eade78c2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d7db35f72ca7c45a1f8489e7e90489e0
SHA14353161d5043d8939dc4c76e85c0269809e03f98
SHA25655ef2ac2ce8c6c00d91ab3ca78a1931338c13f86ab5c4a07a980002e59da2d5b
SHA512cce907df648b9b88621b2945a769e3e36216157d4a015d9126b6bdb69e53faded6f41d774ff8a28e0b6cb3a6678446df83e79cdc1dbeeda360f76f980a23be56