Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
09f82731e3d4e5138450cdbb47878e27_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
09f82731e3d4e5138450cdbb47878e27_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
09f82731e3d4e5138450cdbb47878e27_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
09f82731e3d4e5138450cdbb47878e27
-
SHA1
a45e7c212aa3ab4223f60a0bfd65dcb4bf0c5fc4
-
SHA256
51f5f8f16812c0d4d057b8a949963ce68cf096d823edfd2586b51d3225383f2f
-
SHA512
20c09e78a81a4144eca86deff9d6a753e582adf76fcbc42f8fcb8477ac90c3a926fdc6eade93ee37cb88daae5ff5e1ca04b0889c1bd4262c355491d81a0982cf
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaE:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3155) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2628 mssecsvc.exe 3044 mssecsvc.exe 2152 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2052 2060 rundll32.exe rundll32.exe PID 2052 wrote to memory of 2628 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 2628 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 2628 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 2628 2052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09f82731e3d4e5138450cdbb47878e27_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09f82731e3d4e5138450cdbb47878e27_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2152
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56a607c06ec2a386e4d3dcabce0c9daaa
SHA15268967b51b881c68d916cb8f739eedd99357a24
SHA256d683c2ca4751bc38fd4c56f5e9820e2797739cbd331466c025e49d663163c984
SHA51266a6ef6e8880d08238b3d67950850aa16aa62233e37e88f878237a5abb004af244a97b806e6b45f6e3784d53739e9657fcbba0d8e1ab5f068fbbb8e6f6171516
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fb4174dd5afc6dcc7db2e3502bb5a9c8
SHA1240889c13fca97cd4d3c689fae435649dc793b07
SHA256d9f852bcb5fe00b7e8af5b673f5f24b67a5513a83ee4b6c308f26c28658fb8ac
SHA51274b5a65d05b1f2e5031d766ba818e40b8610e47ac0001adb20275eeabc836572172c21322b971fa1d34c05b15cd6307e7956cef637f59d80f7c0207f30073148