Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
54c56d0ef889f68d72504783d10294e7_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
54c56d0ef889f68d72504783d10294e7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
54c56d0ef889f68d72504783d10294e7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
54c56d0ef889f68d72504783d10294e7
-
SHA1
b425969a10d4c87cc5ee4fc13f7f1195955d5aa6
-
SHA256
ed4239728df8dc6d90612bcfcf41dc40e4b633f8be4d668657ae39340f920b0a
-
SHA512
f803493cf5c672acc2f05bd7bf72a578dee74a3c34415c2c770a63f7b6cfeb0a89b49b1d3a6e9fef52e56ca08c6b325e4493be38e63aff396a0bbba73b991118
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9wlZMgWZBcrGIH:d8qPe1Cxcxk3ZAEUaWWDcr3H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3330) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1740 mssecsvc.exe 2968 mssecsvc.exe 2620 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1956 1656 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1740 1956 rundll32.exe mssecsvc.exe PID 1956 wrote to memory of 1740 1956 rundll32.exe mssecsvc.exe PID 1956 wrote to memory of 1740 1956 rundll32.exe mssecsvc.exe PID 1956 wrote to memory of 1740 1956 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54c56d0ef889f68d72504783d10294e7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54c56d0ef889f68d72504783d10294e7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2620
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD502aebba06116263626b1f626bf33dff4
SHA1ab8cbc5216005a30c6a64dc58f51464f9583284e
SHA256999e9890225311df9d19413fde15a42c379b47f2300f75b8dea06e2c0ab77902
SHA51217c9cb46f89216b7856688dcd4efcdeb13b50f66d47ce05ca88521a9301b14d4648703529388fd8894e15cedc4a7fb84c19bf5b45686db589cdc179b1ebb174d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50a8efd54f829757467cadc2b5a83fa73
SHA1fc4490d4e554ed5edce7c7f9a7e7f9419e9a9be6
SHA2566fb1859461314056a999048d5a5f95b1c0f1c511625e6b2dd3996d8836208b40
SHA512bcc8ce611c9172976dd9b38f4f16659713e87f1308aca6f53a597d06ada64ccf23c4ab107a816a145b07dc438af2b9e8f7733b9b88c2ae38800f12a7cbae06b4