Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
935a103be36400df296e44f438467f3c
-
SHA1
c24562cf24a51cb81ecae2b64993602ff93da5af
-
SHA256
6a81d946fdb06e601caa1018b39bc1a513a53e7716a7c1b8824f10fbad72e26c
-
SHA512
f1b11cb0c25f745bf31e5cc225ac7afeb103deed6dab97197bec093a5792a8205f2d052d60485a3654fa5849b713406db72417e90d91f2da4cfdb035e7985478
-
SSDEEP
6144:yE9l9yNqIYVTH5DgSg8ajldktM0XXrs2QhMV9qbBLIwYQuy8DLq1eNVDwUM:ywbLgPluxQhMbaIMu7L5NVM
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3303) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2260 mssecsvc.exe 3048 mssecsvc.exe 2624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1660 1756 rundll32.exe rundll32.exe PID 1660 wrote to memory of 2260 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2260 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2260 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2260 1660 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\935a103be36400df296e44f438467f3c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\935a103be36400df296e44f438467f3c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2624
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD503da1a94d9940babbb24c2f09177e145
SHA140fdb506c7df3e5c95a9e5d6acca2b9cac0aa5e1
SHA256c9a0c495bcee207bab8ff291107141bc2e23a4f5a5102cc24354eaf4009dbbf3
SHA512ea260f5ddcde156ea942698995a9cd00e8def5515f48a76b0a691bc25c760339119197230585c164647ec0d0f94079d5a40aea15398838041f50fc3ec4c39b31
-
Filesize
3.4MB
MD52cfd9967eaf64845781ce70f0dd69ccb
SHA1c9bf80b6af17c54c460e0f77d7520894de91a632
SHA256dd35fc41dd35b399a8e52cb4e12965a4c0d910999a1133ffe95a8cf50bc950ee
SHA51231a82b9837c57029a5008ab5c8b71a379ebb29a7fa646224a6c87fc017163bf23787e23a53b5262ebc76deefb4ac099d83995f0fc17b7ba02afff6251ce14d99