Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
3c8dec19fbfc6fae8b1761ff05ef9bb7_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3c8dec19fbfc6fae8b1761ff05ef9bb7_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
3c8dec19fbfc6fae8b1761ff05ef9bb7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3c8dec19fbfc6fae8b1761ff05ef9bb7
-
SHA1
5666db57416922573fc322175449a1845a7b4b23
-
SHA256
eedc35220eca2721d582c7dc3ec15e71d8e9f8edeedbd402b93bc27834d6d796
-
SHA512
ea6a61f59bedafaca9d1f12978a145ee0dba53c700870f706b1a71e6b72eac902a36d4c9fe2d4532f2d397171e3a67d9b2f8feae5a0941b6fab8f19fcaa2a5be
-
SSDEEP
98304:T8qPoBhz1aRxcSUDk36SAJ593R8yAVp2H:T8qPe1Cxcxk3ZAJzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2068 mssecsvc.exe 2692 mssecsvc.exe 2648 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2132 2432 rundll32.exe rundll32.exe PID 2132 wrote to memory of 2068 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2068 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2068 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2068 2132 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8dec19fbfc6fae8b1761ff05ef9bb7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8dec19fbfc6fae8b1761ff05ef9bb7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2648
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD524d01f3bfa891781d1623c620b1163af
SHA1024792ae67ec3a0aba77a6f17011f9812a8c26d7
SHA2567423e629da7e389dd48c3b5b8c835c0a2a9b0c9844c72c28185859a29ccd4f23
SHA512e9d4dd88c5d1479e3b1ec20e82d51669a8daa64221ca5576186196439fa751b61e3165aba7f5893ec2777e830d104efad531230a0969a6589fc76c694765bad7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5965fb58a6ecdfbc341d734b961ec6169
SHA1d92dfcac42429de61564eb5827c6b5f40aba4421
SHA2565a1290f0da419e81ecb1dad3729747d20753e49ca106cf160f602f4e47f137bf
SHA51251f5fb4bfadd3de70d83f4c9809ca3b7acc343dd7a7f12873c3bacb18800795cb8992e2186eab288d1f5d0178e7e7368a14ea59d7494b98ea36ad35714033c2c