Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
11e240d70f2e38cecfba1799d8046678
-
SHA1
33b54e5eebec3eab8fa7159015984306fd53c8cb
-
SHA256
d3d6fe7d340bfb8fdaa8be94c959099d860ea3c745ce3a15ac5c21078accc41e
-
SHA512
7b83a0570ee1ec3b11cd1d0bc4ffe14ccf8657fb3a37871be47307a69214cfdbf4920ba05b2cce1d7819609160e177a3db3662f8b3a7b8a3ac04350bcd3d0a32
-
SSDEEP
98304:d8qPoBhz1aRxcSUDkydhvxWa9P593R8yAVp2H:d8qPe1CxcxkyUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3113) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2544 mssecsvc.exe 1748 mssecsvc.exe 3032 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 2392 2188 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2544 2392 rundll32.exe mssecsvc.exe PID 2392 wrote to memory of 2544 2392 rundll32.exe mssecsvc.exe PID 2392 wrote to memory of 2544 2392 rundll32.exe mssecsvc.exe PID 2392 wrote to memory of 2544 2392 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2544 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3032
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56edc22d530ba8a8c3de87400d1a3c762
SHA183975a8e5718eb954ccba19f497a16c75c361cea
SHA256ed59f9f12b99554ead96ba5351f9413654526e6d67c54594fa051d61bd53cd12
SHA512ce8eb2fb1d557101a9c16a6b52eedc18ffb30d34cef10f5e2c3cd5d740ac4a9e794f4446efedfff9f22a9cd1a715d0f7457f7284554c8d61d350aaa530d9ef4f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5407207ed2f91fcc504c3c872020debba
SHA17d493a63fe1ab5ac8102a2c54130115b4f3ffa4b
SHA256ab6d965875faa63059f57ae3772f92935bf360ae681a009cac240f05020d0617
SHA51218be7d0ca0dc4f4f78bbc2e330802f624eae9ea3e47f23be9d1b6387631ae31d99155659a5256501e5ce68ad7ed5a6baa41115ddc00f77f7a906402779fd1d32