Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 07:04
Static task
static1
Behavioral task
behavioral1
Sample
dfb508f82ab7809d3f0266d852009a99_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dfb508f82ab7809d3f0266d852009a99_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
dfb508f82ab7809d3f0266d852009a99_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
dfb508f82ab7809d3f0266d852009a99
-
SHA1
b3987ad6c7e7cc751a63c89a307b335b86e1d78b
-
SHA256
1ef876ab0e4b0885f1585753423999b8fce935c87b77f9274aa1debff01efe7c
-
SHA512
a67cc2fa77864a3b35345cd63760865bb0dc2a579e3dbd543a9904a0563f46815115116848e7ade48d6df094ed77787d2de182414937f396e3953e1b44b55dbe
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2owc:d8qPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3240) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1468 mssecsvc.exe 764 mssecsvc.exe 2752 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 2264 wrote to memory of 1292 2264 rundll32.exe 30 PID 1292 wrote to memory of 1468 1292 rundll32.exe 31 PID 1292 wrote to memory of 1468 1292 rundll32.exe 31 PID 1292 wrote to memory of 1468 1292 rundll32.exe 31 PID 1292 wrote to memory of 1468 1292 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfb508f82ab7809d3f0266d852009a99_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfb508f82ab7809d3f0266d852009a99_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1468 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2752
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5679d91ad1673915f28d1ca5eb78b8486
SHA10cd89062a1ce2a61d65ab11e6b72de5115eacf48
SHA256d9fc0a4089f5ca33d4d9b01a3bf26eae796b8647f6c95b0ed65db344096ccc9f
SHA5124531d0c0a5d039c7092216f144f352ea0ca4ae0e4761f0c233bfcf537723296a41a4766ad2aa78096f717c2d7f70c6d9712477b999219d2cee219c3f29176c2a
-
Filesize
3.4MB
MD534e1278bb4509b217a58a294a596f1bb
SHA17aaf59e4b55c4f7f2095f98a16f1f196f7ce489f
SHA256548d1c00a50abc1fed1747c4008defea1e85486def98ba1d22849c09309c77da
SHA51247d24811a166abbc627ebef64e5cb8a88aa58f9a192f6f8020163702d566fd78947753cb47229f2a1bb591bcd3d012269277318e04db33575c76c1f1d5d2682d