Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:25
Static task
static1
Behavioral task
behavioral1
Sample
b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b4cde1e1ed2abbee0b5abc2da6b41bb6
-
SHA1
7fbe0c404a6c960baf647ed7d8f628012b29c4c7
-
SHA256
e5f895eabdad888f1e69812e24686d352803ff994dac56067197b58b1ff16221
-
SHA512
58335e42da8244d1215cf79e1b299dd832c6bcb436e23b9d3ce9ca261cfe4b589174e880c629c5d50803f3784eba527c5b19b65aa17caf2a68a3dff6d078fe54
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAV:d8qPe1Cxcxk3ZAEUadzR8yc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3258) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2224 mssecsvc.exe 2500 mssecsvc.exe 2660 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 1668 2908 rundll32.exe rundll32.exe PID 1668 wrote to memory of 2224 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 2224 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 2224 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 2224 1668 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2224 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2660
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c950a73c8373cf8b7be87250213f8d4f
SHA152f1e73c50fe92f229ea5b8cff7fc6215a76f430
SHA256c3d14080e3719c412b9539a048000720e4376e46d1118a5b515bb4dd5fb20af6
SHA5120b803c10925ce43fa292c07fd7445d50b677df49ff138dfe7d596172589d55fc20ef3fc59c0590ad5943963fbfe9dc43def15fe22c23f91243303d00adeda796
-
Filesize
3.4MB
MD5dababf3f702d586685ebfcd0b5a7975a
SHA19d725fd5c6cb226ba2571b95c575764902a8ad15
SHA25605aacce477db5a570e36d10da93eba85bec8af8e4aa2224b0a8ac98a542c18bd
SHA5124fa33b72a5af61e0bc2046cb85ce40b7cf043da17c24c7576a0d673bfc98dbfb0c024eae4bd2b4e1f123c45e3838c17af96f8e21b68a1382c101bc105a9174e1