Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
de4e13b6b78a818f7a2f8085094565b8_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
de4e13b6b78a818f7a2f8085094565b8_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
de4e13b6b78a818f7a2f8085094565b8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
de4e13b6b78a818f7a2f8085094565b8
-
SHA1
79fbb145ad91ef777f4bdb7d3d31b22d469e05bb
-
SHA256
ae65ff5a612f13d7755bca2ff5dfd5e0161a85eb893c4285b7b4b3f02c97d005
-
SHA512
84a08e07f36d6dd38ce87c8568f52a22219b602e8ad809443783cc181a3cc2bc6c9a33f68f95b4450caf71de4b9d69224d5d3e6b4147fff480972d62d76802c2
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9wp2H:d8qPe1Cxcxk3ZAEUaq4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2064 mssecsvc.exe 836 mssecsvc.exe 2268 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2412 wrote to memory of 2104 2412 rundll32.exe 29 PID 2104 wrote to memory of 2064 2104 rundll32.exe 30 PID 2104 wrote to memory of 2064 2104 rundll32.exe 30 PID 2104 wrote to memory of 2064 2104 rundll32.exe 30 PID 2104 wrote to memory of 2064 2104 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de4e13b6b78a818f7a2f8085094565b8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de4e13b6b78a818f7a2f8085094565b8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2268
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b31578070de02e95c744960a5a2b6a98
SHA1a925c186074bc575f7fc5c52cdacc532055a035b
SHA2561997f83c7dc0688a7727cab29bd3bea92b5b9d3549b9dfda55fd1e66289cef0e
SHA5123cda83fb023870d269d92fc124d6d9f0363f1a4f01273b53baee346ced31871dce06aac8a280ca3feb0ef47ee841837dcdeb47c45c0831bc6c5245c3b2eb9c13
-
Filesize
3.4MB
MD5115c1735c25b8af994675a1ad8d8150f
SHA189932dab91715928bba3c62f14a614a425a9ab36
SHA25695b05236f98781f650dfc7819649a4629f1a6e4a81a00ed0e63d6e1edd779c88
SHA5126b9c0c859c4c579cc21baf01ebdb5ec48371becce809b172e405023f47a7cca33fe3257220c5c95ac7f934f92fc789efc0ea3668e5d7f45c514775cb6fca3bc9