Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5d998a5df9477d27ee86f973d6830bb7
-
SHA1
15e3b5983a8a9c2cfa20fd36a78729fdaf187423
-
SHA256
00a532ea6e5196b20f5cebefbc4ac60f599e7ff2bfb18bc35ff16747f832d286
-
SHA512
c0352ada233320221de30360e6420dca0c160c1cc18188f07cbac8769c9176e5ceb32a3321df23787aef9630ccf31319df35bd339980c3cc558114a671e57637
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2860 mssecsvc.exe 2724 mssecsvc.exe 2560 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 2848 2268 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe PID 2848 wrote to memory of 2860 2848 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2860 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2560
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b470738dc26c68476823320a7ed1ad26
SHA1c925d9146c06a4c326551f9f72dee41311e6e1b0
SHA25693f46b8fc2962f4f1bfa7a27d05e99d1f366c08e7edbbc4a7fe8e06083164a5a
SHA512c2c5849ab9dbb288c03c2b0f0f1d72e60b50c93a301e7b938862671ee8f63e365515ec05ed91b6576bd77a17bb58f395cfe5e636e9141e20887e921adb752c18
-
Filesize
3.4MB
MD5e57ce751035627406f02ca25d01844ed
SHA1150aa6ed9a5016aaad7cedb58912350f96f8b4bd
SHA2560a4affd3a56be457cf12aad2f8f321cf2d7776f77c4deb4788940b32c0bafb55
SHA5122b335bad9ca80ae3c193bd10ece3e83d1821341fc9b595c27286ba3f5148678fb1078a96348a7b7f3d0469b17896fac043331632754773d8b0166f4747c59fe4