Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5e997736a950b255b74def5a7090a310
-
SHA1
01d77af04ac36e556b8638314687ba24a09063d1
-
SHA256
1cb50e49a995d7b5fbc68ce0ad7c9c3f2a01d31e554ecd64d8a51f7511218fb5
-
SHA512
ed22894452f2277fb9f2a38049bfbfbbb9093a21dd4303a52e087a8b8ef65832ee211c080e93d82c3319578547ec35e59159a34128e5f981a3ca26eb968fe539
-
SSDEEP
98304:d8qpz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qB1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3040 mssecsvc.exe 2636 mssecsvc.exe 2488 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2076 2860 rundll32.exe rundll32.exe PID 2076 wrote to memory of 3040 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 3040 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 3040 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 3040 2076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e997736a950b255b74def5a7090a310_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e997736a950b255b74def5a7090a310_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2488
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a8ec421a7a0102eba7f116fb05a693b7
SHA19c8dd4295920870267037552b630be8a58c33d78
SHA256277b166ce953a8126678354e7588e9437b3ac8863737334822c99b5719019f84
SHA512bd5f30c1eb2d7184ea71428448218848460e66f44d7a0a19b3c2f1c258b3772b6ff9a2886afcc4dbf29cd7382ec2da1913576a72c73f92b47dd39d5f08709e74
-
Filesize
3.4MB
MD5e5792ea0c32a7f959dff01c4a4a81d4e
SHA14e87d246e6b9c0c273af2dcbbc8187e6fbe17969
SHA2564b5b2fd5c9c0720571b6d4a771b49f6ecadc2af1936b2addfd4bafd266dc989f
SHA512b8689cbc8c8006f26e23a37c9fda950829a3794f7b5e7c9fdcb09cead87d4c460d8b5144da31ab92ed207db008968edaa6e2b8aee2621399ba7db4c9d3023cf5