Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
8d6e6ea71ac6dd82566ea60042ee86ab_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8d6e6ea71ac6dd82566ea60042ee86ab_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8d6e6ea71ac6dd82566ea60042ee86ab_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8d6e6ea71ac6dd82566ea60042ee86ab
-
SHA1
836557cb89300f02bf9395022b16418ba9d7fe96
-
SHA256
337df37a59537558856e34d1ab68511664eb7d65d8bd077f713ce84e39142686
-
SHA512
d095460fe5083d17239715a69823e852f087dfbb221ca42ec9d7a664a6f3bf0d8a1ea3945b3982c236fce04075950ea22e81b5dac2f01982403f24d4b795ef8a
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HhrH5AMEcaEau3R8:d8qPoBhz1aRxcSUDT593R8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1852 mssecsvc.exe 3056 mssecsvc.exe 2552 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 2156 1844 rundll32.exe rundll32.exe PID 2156 wrote to memory of 1852 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 1852 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 1852 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 1852 2156 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d6e6ea71ac6dd82566ea60042ee86ab_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d6e6ea71ac6dd82566ea60042ee86ab_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1852 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2552
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55faa48ed0a9307142ef6483fdc19bb5b
SHA1cfa17fe1c6e8a36b1768e8495eb4191ee20c4a3c
SHA256a5ca9ce03acdb745f1339bb6ddd2d90af70eda7073b5d3e1281c2f17f3d10a69
SHA512179c5a357dd1ff20d3fa204499c5bf5d6e608aed84d0497836a5e4fb2f21519e22bf4c8fceb9a738938671b0b8c4b5123ea0c6cd5a3157e06c9248313142a387
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51ae22c8a18204e7ef1a2c6b873d1eb2c
SHA1bf5114fd81d315210b0e6bd36ad0710e2e2c8564
SHA256bc692b3f6c04d7e67a67793bcf07400ab797af7b77c1c2cc53c5eb46be703a9e
SHA5127fd5011be3f7c2ac1d7e347600d6eecc262f44f0e121bcabbee5c0b279b1cdbab7b509cb3592a8448d6de01187bf96f8df7c881bb31439e7ca4afd4758ab99f9