Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 11:57
Static task
static1
Behavioral task
behavioral1
Sample
17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
17905fa52bee8b438e2b7f5cb53cb2f5
-
SHA1
2af13381186dd6816a6354b734cca68573e90beb
-
SHA256
4ff2da241d70aca8d525e7c417c4541b6ede67511c6d4f9560263024f5886dd1
-
SHA512
d0dd6b946280bd50f2aabe1922e419fe8d62d9cbd8411bb98a61ecbdf0e3d2cdb73ea307a27fad7a6b480d76b9400a3b61a9a3c6fa9a7f710ab0aee7cd372681
-
SSDEEP
98304:d8qPoB1z1aRxcSUDk36SAEdhFeB3R8yAVp2H:d8qPS1Cxcxk3ZAEJepR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2188 mssecsvc.exe 2640 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2356 1700 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2188 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2188 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2188 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2188 2356 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5676546e9d7eb379744152f2f308854c0
SHA1496dcb1559821ff4a93e4ae4e7e901ce260799c8
SHA2566e9eeb57fec2ff5dfe679cd60b0d35ef4d588e497e4f8619e89237191f97fb49
SHA512b39f29fc6ba70bc2490e77166472b2547e78a66c6749de304c5deb348245ce1402406af4264a5bb15f94fe5af9e11f0ca1007f3b04c9a87ad32207e762cca07a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5972029747126787ea423dffa1df456b6
SHA10d6d278f3305f6713db39bf0ff9d32fd15b0dd20
SHA256ef16810e7e876aaebc4eb25a00abcd65f83abb41e074c5e1a030debabddf9e3a
SHA51277860b8a63373ee194a043496b7cc0d530f76d13692db09057fd68dd82001363932e974b7985b699a9ba9a3d71de574a8068144758271c41a5c677bbedd82c43