Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad5517a1eb752f6d23d69b2f7921cd48
-
SHA1
c7937342d7bd4d93c502482a68ad5025b15e519b
-
SHA256
9ec61ae7609b5b7cbff2fbb60574406c5fc57e365f6f4c16d8e11141c9e987be
-
SHA512
739c9fa2df5b4c052a3ed3510d129e36fb1f6927cf922c07f2f62ab53e77455b80f36957877629f6178bcd53bc81f65291664ba4047fab0c2b307c2f9d6b272d
-
SSDEEP
98304:+8qPoBX1aRxcSUik36SAMxWa9P593R347U3Ra1rFz9TADyJxTazi9ozCY+Zu:+8qPg1CxcAk3ZAPadzRomoPLkVm
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3123) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2120 mssecsvc.exe 2596 mssecsvc.exe 2564 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2588 wrote to memory of 2272 2588 rundll32.exe rundll32.exe PID 2272 wrote to memory of 2120 2272 rundll32.exe mssecsvc.exe PID 2272 wrote to memory of 2120 2272 rundll32.exe mssecsvc.exe PID 2272 wrote to memory of 2120 2272 rundll32.exe mssecsvc.exe PID 2272 wrote to memory of 2120 2272 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2120 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2564
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50a4adf5b8d5f7f2af6863aa0f6854805
SHA1aa11d0acd8721050c49aa48653c94acc1e047441
SHA2563c552e558a6a764b52eb7bd8f1be11a5dc8c6f116073089bae7601f686f6b0e8
SHA512f31a0d60eb5e60ecaefd00e8f69e111106b8d2c08a461800e51a6a85e9653533829ab3b82f5b774f9f8f21d41028a45e6174f46903bd4877f2d14fa74bb4d883
-
Filesize
3.4MB
MD5c8c7248c812a1a10bbd0b5658256d3e1
SHA1482c17052dd131e41e2e254dbb29347840f41688
SHA256c531db9707938d32901b120c947ae646986d461e09619fb961dd4bfe8ca734dd
SHA512ba4eb3f7b50fd0a9e58e0ad202b10dc419081dda9342ab0c51e06a307bd25cce69fedd3dbdf19228ecdf3d6892c18cf374aebd1b2cf4758d103d1da53f6db857