Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 06:55
Static task
static1
Behavioral task
behavioral1
Sample
3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3e3f26dedf4198bae015c585b1c02d2e
-
SHA1
9f18ffe559436ad5436a576ceb29a6f7bc078312
-
SHA256
610196bdddf7c8e3c2a05e2c9894b84c1c20cbb2126bc9b7c930e05a6ac839f8
-
SHA512
01b5310e264e0c54f857929879c043c238e875c909858ee937c233f0ec239cbb43f790573126b8caf51788faf5d99521c84428c4809f849b0f18d5dc7fc94761
-
SSDEEP
98304:d8qPoBhMcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPFcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2860 mssecsvc.exe 2680 mssecsvc.exe 2544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2860 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2544
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD514781bc48b690258f2913807d986e703
SHA1f0316cb8d00da6c3e87ab1d433289548328a7e48
SHA256acd476151d917bbe01bed15605156420c89cc951ca8e74620c552f627b97e349
SHA51231ddc468dee81fdaf661321aa14a8c90f66407fc6835b3b90fe5948fb42ea0031c186a958a2fb4c978a14d6fb274161fc0ecaccdf170a7f9f1d88a4cde6ad738
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56b7a6acce1ea51fabbc8d73dbfc942ec
SHA13d162e9a395718ba30925b2873638da88d74a2fb
SHA256d3a9c84fbd4ce82d31979a75d36d4da004a6a8738c85f91b82cd7ffce403f838
SHA51250c3895371238a9b610fac4f946464caa984edc4bd4a714669cfb80dea2a0c6bd0a74bb293bb85d28fae9724f2b50ff79b87e230d0d2585ff790ea12317a1657