Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
2113c535e046ed03f5c5239b2e3212dd_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2113c535e046ed03f5c5239b2e3212dd_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2113c535e046ed03f5c5239b2e3212dd_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2113c535e046ed03f5c5239b2e3212dd
-
SHA1
8e01eb6d2de7a37b5c35e4f2d5d31e989ac73176
-
SHA256
d1195652fd33c83b3823e14f37c54bebc3a7724ca04f39520ca3dc39a0080f5c
-
SHA512
fc4f4338a3edaa2ed308735b15d131aec149b0586d9c0fe48d988f34ba2f7fac21c9df5c50a138dbdebc8ff797b24d4ce529beb9b7595dc4b77c312d66d09caf
-
SSDEEP
98304:T8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2s:T8qPe1Cxcxk3ZAEUadzR8yc4s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1892 mssecsvc.exe 2252 mssecsvc.exe 2464 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 2696 wrote to memory of 1312 2696 rundll32.exe rundll32.exe PID 1312 wrote to memory of 1892 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 1892 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 1892 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 1892 1312 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2113c535e046ed03f5c5239b2e3212dd_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2113c535e046ed03f5c5239b2e3212dd_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1892 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2464
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fa43565cb2d9f067d82f38e4e0f3b261
SHA16b6353a45a88725f61ad679b8530eb93177ff7b9
SHA25679bb6ae9f7c2f733d475970a12fb268a75a1b700ceb0c791f831732b72a83b88
SHA51232696cc93af620753eaed0c082fb5fa09fb641d34715b01b6ec2e1ef9576941e14be7886fc2f095075ca233b58f8777c68b9d045bbab5cf85c7b2fe72abe1233
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b28af569881d85a183a91438bc35abb1
SHA1857e19e8f2f9dd6c3a43f2defcf214fe116affca
SHA256837aa77b122962862d55e37c10f1544db08aaaf095d877e6265d7025334343b5
SHA51259614eba8868c06c159537bf594af154b56bb0f2f0c4ec09a104b5073526507e58836f3f16b454fa95327983359baf7e2f02ede4c597ab412be18dc574d26ec5