Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
54abfdd9a04adff0c2fdffabaaa4b956
-
SHA1
3c143da1fbb2e8420c593c7f66b9663f6f4df175
-
SHA256
2e32e311c5bbed5be20077b6ae1fa61bc5059018f31eca3bcd8553676ead6978
-
SHA512
08f73706b083685d8512e1dcf19676a02ca77954b6210672e08da5cd9e18220872fb90eb3fa3a7c944ea163e2d823d33f051704df86f7689f70ff278b26fe695
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9P:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3004 mssecsvc.exe 2540 mssecsvc.exe 2552 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 1500 wrote to memory of 2888 1500 rundll32.exe rundll32.exe PID 2888 wrote to memory of 3004 2888 rundll32.exe mssecsvc.exe PID 2888 wrote to memory of 3004 2888 rundll32.exe mssecsvc.exe PID 2888 wrote to memory of 3004 2888 rundll32.exe mssecsvc.exe PID 2888 wrote to memory of 3004 2888 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2552
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5798d5ad296ae696555dfc0abb0cd1707
SHA1c503fb426e4cd48803d5ad4f1a04fa1f6cd9e636
SHA2561fd7013c515832aefb1110e237eb1048aca541f7008086ba915a4d1e95011497
SHA51258fd36971df50a8b6f8297b456c9618774926aa31a06a701de0575d3756ee51e65ae8f4401b02133e309c2caa686e9c8cd354e2fbd15278151ef470e43fe422d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53f95e01a2a689b9a4bd17a115540a5d7
SHA1c057ac5632916d49b3deeedf08d4e983e3871b9a
SHA256f335941ff4e55294337104ce908cc8b1e1fac6381eddcf5a6accb7fd0d3966b1
SHA512f666db04637f82b5490e9dc71d17d9cfb5c4f32352b02500a9481dae0d93efd782f22267e56bf3514f41f0fab9a23be6b244e3cc0aab7d02f52c753bb1c4276f