Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 14:27
Static task
static1
Behavioral task
behavioral1
Sample
18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
18199888d6cc03fa3b1adee22012c083
-
SHA1
ea05e12f62e3d5955b2de7587aa4a8c98659c040
-
SHA256
a45856a40e829582bb45e4ef75bf43ff31679f8ca1d7106e6217db81b2c76e40
-
SHA512
b835b47ed895ec6bac52d1787166b32f65f6bc51f2b6774f3b83500b79c954e1d6cece9ec61446de12cf68d22050e3b5b854e618d5d9936f1ab7e022fde5b273
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa94593R8yAVp2s:d8qPe1Cxcxk3ZAEUayzR8yc4s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1740 mssecsvc.exe 2892 mssecsvc.exe 2916 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1740 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 1740 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 1740 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 1740 1708 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2916
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5593c3b4a49cfdb31b496163dd21310c2
SHA146edae6e9d6ad7f129570562f82500acb63362f1
SHA2569cada52102762c4840cf59a4d1134a36a5aefb3b21d1736a5cbc95d9ff47db6e
SHA5124546b0084e47fc8a126ff4b1027134c22d268e09328e761fc0591d7f2e30f5fd0a7118bccb7d0bbc786413a54c354d3c04ff86d0617792178dfd1e5427f5036c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57414f3e8a6a4b3b0c37e517b15f17d62
SHA19916d2a510ebb40d021228dacc8edf62677ce231
SHA256c84a232eb09167445e9a9acf70183cc15a9d710c7a2bdf650eac1e392823f194
SHA51296d42fa67d033907ff090feb6b27d9838e6d6612b53c679ffdc76db05a899ecfc35c9405148103385a277cbb164e200b3a39c746ebbc7d489801dcd08829875e