Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
aee29b9f1cb36e0f7122330b4f762a4b
-
SHA1
bf0897a259777e34fbd328ac42d9d75bebcd59c9
-
SHA256
f31c16c9f5ae0e9564a430f12397013bc4777f791f63028a44aa39b6086df60e
-
SHA512
73a4bf011ce07f3fb8cbc82ae09980af27357394cb5e5fd6c4e251a7e5edc2d586a33658c7a8ccdb55652d6f4e947b1f0a4f574b706ddaf4d6e41f0f6fb3530e
-
SSDEEP
98304:d8qPoBh0yw1xcSUZk36SAEdhvxWa9P593R8yAVp2H:d8qPuw1xc7k3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1064 mssecsvc.exe 2908 mssecsvc.exe 2240 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 572 wrote to memory of 2112 572 rundll32.exe rundll32.exe PID 2112 wrote to memory of 1064 2112 rundll32.exe mssecsvc.exe PID 2112 wrote to memory of 1064 2112 rundll32.exe mssecsvc.exe PID 2112 wrote to memory of 1064 2112 rundll32.exe mssecsvc.exe PID 2112 wrote to memory of 1064 2112 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2240
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD522dca33e86792bf66cd7020697b3748b
SHA16bf7ea26f0db190acac8b46e7fc4745b8e43dde9
SHA2566f4cc9028d5ac3c289b85dcd1224ad106f359e25bcabafa5ece05c3986a1ceb8
SHA5123bb9e019d1d40b7503a29b262eb43d636419ffcae1b4c7e4ca78585396cada09d7a00f1721fe38a06297cb24972369174d50c92a6277a025f7d59480a84f9182
-
Filesize
3.4MB
MD5ab6797e870f96ce8191e99cf89b5422a
SHA1a158653cd1f12df06a154f36c617ca9f96089371
SHA256166905b9a18d99575dc18292a915532d5b654335ab3ddb186a2213102ef8a20f
SHA512c737f4518a8013d0c5205efb83c72c7630a3209467abd2944b3d2dfcd95927cc187ced3c7567cc2df53319a16855573d9fd6c21f29bbf4fb000f7059713d8936