Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
223d7dbf628db2fc3ab829db72f5ea43
-
SHA1
086dd22cf8dba48e49384f2d5f62a8a19651cbb2
-
SHA256
0aa2c452f9bcf294c06022dfb58c6a524b77e97deb89b1e2bc7eba1cc7af357a
-
SHA512
af8a44d512156296089f95d329e45e1ba50d9d52c970d69dcaa667c433593727910b1c36f46c850f0820a4e9885c63bb9a4adf31af8672f7316ea3df5b4080cc
-
SSDEEP
98304:+8qPoBhz1aRxcSUDk36SAEdhvxWa9D593R8yAVp2H:+8qPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3153) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1952 mssecsvc.exe 2484 mssecsvc.exe 2516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 2124 2136 rundll32.exe rundll32.exe PID 2124 wrote to memory of 1952 2124 rundll32.exe mssecsvc.exe PID 2124 wrote to memory of 1952 2124 rundll32.exe mssecsvc.exe PID 2124 wrote to memory of 1952 2124 rundll32.exe mssecsvc.exe PID 2124 wrote to memory of 1952 2124 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e692b1e8267d94e8ff5d0d1e3e50dcc6
SHA1d74391ffefd682a035df83e6cf35fcbcea3251bc
SHA256cad5ef851c6cae5e641981e03a42864522f39b1fe5b55ac0963e6e5ee4e00595
SHA5122ea4c1355970cd8ee6b655c10276c15b406702f80d9ce46a96dd3df8d629947e39ca8570ca9d849f65eaee9fe45f5eb04bd21f988cfb517500ff7e0f9e486f4c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59c03498aff7cbc27c20821569163c537
SHA10aef7213966dd19090e61097b47194fe168a8422
SHA2565cd6bcb86ee8bd40af3bfdf44bcb1b90caaa4a9656bc8d0cd6615cbc3c0b24bc
SHA512b716e63bb3990cd49ca8891df841ea82dd3c193a58f4f6e1dceed5c5912b4e9e26d910dfb9c1907002f72d11da681f2170e31c100cd0ee3e7ba0e46a11b417a1