Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f8b1fb9dfd7affb5397d60de882f40f
-
SHA1
a244f82a423578890ad2d2457772dbfeed370f02
-
SHA256
fc655593cfd12dc5d0a6d1c7b683da3c4981d584182385e36ec18df7dc4bf382
-
SHA512
fc21cb592bc67fb9fa85eeb265158b495ee8c491092055e17a88e80d8c4021c1a8781068b1e993802b6813927d38bcfe568bba3e862c66075dd79e82c248b1dc
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWaS5P3z+lcCcu0RCvlsPsWvM7/Yp:d8qPe1Cxcxk3ZAEUaGtjk3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3180) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2852 mssecsvc.exe 2772 mssecsvc.exe 2516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2792 2196 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2852 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cea30218f594702c70e4a6e15d9e9a78
SHA16b786193150fcf1352f5d8c1cb6195d953656968
SHA2562995189834a208f7cd479a449c70781cd7e8c44dd847f191cde69a4d4cca8f9d
SHA5121df7a3a59193329649659f668c87cb5c08f350139e6b222c719ee2f51c8d0e05d635c0c5acc60feb438ab932cd8e5b0cd7a4cb116f1a11de097c33e732d89446
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57fa453ce95ec282b01d71493d7616ccc
SHA1df52398d959e3a503c42c77b5e1c5701fafe6942
SHA2567ee6d5e894e0e69308dd02f6993c14efc4005c5c31708eaffe4bb1e09634efe2
SHA51221de6f6a4239da9e5fc654d6d87c2a722a69854d7bf233c0882f5c898aa6ce4e771327c600e2013dcc09c2a327c749a9ed1a759834a80c71b54ebc094818e3fb