Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 05:23
Static task
static1
Behavioral task
behavioral1
Sample
832698afef735df491267821aef061d7_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
832698afef735df491267821aef061d7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
832698afef735df491267821aef061d7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
832698afef735df491267821aef061d7
-
SHA1
1f5a1f597e81341a6851758992485933e9e66c83
-
SHA256
06b170c03a56757ebce660e26415507029b58282cfd9291b73961ecfcedea3e8
-
SHA512
c49b132d23d47e9d5212d2fc31394b2dc518e73b75c97da5ef38dd4aab4d0b5d93250c9f7a8faef5890b01f614dbf0e9ee6e1ebd2de99a5f45160fd05c861408
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9AT3R8yAVp2H:d8qPe1Cxcxk3ZAEUa6R8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2212 mssecsvc.exe 1964 mssecsvc.exe 2608 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 2420 2328 rundll32.exe rundll32.exe PID 2420 wrote to memory of 2212 2420 rundll32.exe mssecsvc.exe PID 2420 wrote to memory of 2212 2420 rundll32.exe mssecsvc.exe PID 2420 wrote to memory of 2212 2420 rundll32.exe mssecsvc.exe PID 2420 wrote to memory of 2212 2420 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\832698afef735df491267821aef061d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\832698afef735df491267821aef061d7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2608
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5be5318c1fcfc50c199ae54239a51dc05
SHA16db81d8749517cdfe28c29919c4c0f188e08d0eb
SHA256943222ee219668db517c449fed6959c1fcbaae84861a5606387599cb9647d5ec
SHA5122cb16c53366dee7c40085f7b3633b58c97dbf890d75af56d4ff6e4f1b1f70ef762a52b7edec9f9cd14f2d97efc80a3b72ebbee8ab844c79be992cccbb6b713fe
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55612a496dd2a38bcb41bdf2948354fe3
SHA16cd72e7cb9424e2b2492b4d39069288ee17fa9f8
SHA256858e56839a7ef43fbd0a878a4959f6c41781d84866f853a49e4cda89b4073097
SHA512ccc72f01518423f3fec76131a7fb97cd4dd310e7de8f654d8dec89534b66cba19f5ef4ac100223eca063fc524f437f2324518ce002955ca6e50dfc2a717325b2