Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8ea9c56fc1c2348f6ff9831f37380406
-
SHA1
9a31c5ecf6a4f64abc680fad4956214f7dd381e2
-
SHA256
a9285fddf84f903605af63605d7369a10a52b5a16acde39899425dea363d06ca
-
SHA512
dc064ce61374b8787998ce7711b57238c4674a5b32ba41f8844cd5718ae985e65483e999ce72c3ec551f27d6954cbd0628ccad350041664458ca47e7009ea850
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SApxWa9P593R8yAVp2H:d8qPe1Cxcxk3ZAiadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1148 mssecsvc.exe 2320 mssecsvc.exe 1320 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1388 3056 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1148 1388 rundll32.exe mssecsvc.exe PID 1388 wrote to memory of 1148 1388 rundll32.exe mssecsvc.exe PID 1388 wrote to memory of 1148 1388 rundll32.exe mssecsvc.exe PID 1388 wrote to memory of 1148 1388 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1320
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57c71e533c99b2e86cd64d9b83eff0920
SHA14cf0e22139c1915e727bcac7a996bf3c42fd0efa
SHA256346dcd106db702e2cb861c2329bf9c2b8ee51b5149d24fae9c9b42346f036535
SHA512ff3ef163c7cba43d6d676c28b0c4187aba43466b722310f129525f83136bb3d7982f5a06c851db278d5cd587a8723e1e0a2ba6294126b368268af7ee1e4c2cc5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b748aa373ead11c501dbf06b7a7aa60e
SHA1d322bb4c10d52d9b37b69f1fa1b49e0aca5183c1
SHA256b3d715b1f5dc5aa862c14a6f41a24dd8c4d900370c6ac1a480f9219c490c7e90
SHA5126fc0b518237d26cf8252ee2056c44875593a0ffa6a5fe2d5a81c5676176d9d3075c8039edfda9093fcdb9eaf51e6882015ca8285f6a0921913a0a730cab3d937