Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
aadbf0d70f1b01b3af63020e0c22ecfb
-
SHA1
1fe092595535e28ade660c16c8a11b5bdebe23eb
-
SHA256
9b28253bb682bba95e21029b662950e431d89ff35c5ab4c824d8d94f05bf3345
-
SHA512
d9ca53548a6b04bd4473971b197603888587ef021e7effe391a06310d66a64c93920eea295e6084ecadcb8e83a25c95238f2f6b961d742d174febf36bfdaab1d
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H+SMbBPWky:d8qPoBhz1aRxcSUDk36SAEdhvxWahF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2688 mssecsvc.exe 2492 mssecsvc.exe 2552 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2432 2916 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2688 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2688 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2688 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2688 2432 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2688 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2552
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD530bc40dfeffebc119ec1e6c01698319b
SHA11cdd02930d94f37e1948c5178e1bb3c0ecb73aa8
SHA25635a76e6fe6a50ee15469b9337efdabb6ae9355341ec22ca7b495073edcea7720
SHA51293b9c10896e29f805f481f96dc56370bb27d24c77e310d5ad557f5ea5258545a9dd1c5399ad71a3dac2dd4aa5c940e3611400d1e3d2922cb49fa4901a6250062
-
Filesize
3.4MB
MD5a0b8edde5cc9687d21ce3cbff7ba5288
SHA170ab45e14efa6616bdfc45970268ae00f7640cad
SHA2565c9e87da1c86135ec54c8ede1e05b6ed60ad6ade2bf91301be564c909a20018c
SHA5124da5353cc19a65fe9da0f2ae2d95d94d19cb51bcfae21d2218ff856b9aec1239198fe73e0e1683e0f8cd25cfb9f0021c9e7e6167456ac6301747eae0f0bf12e2