Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e67af97c23d7df391973c3ed453a65dc
-
SHA1
ef3c913ce273786e0ec981d06a9cee26dd9f387b
-
SHA256
79ca12b2c18a8f9ac7508178384e4b6459592d7ea8f4125018f0b9db5b04bac7
-
SHA512
868191ca9d8667408a17ba5818f925e722624f86dbcc842b9d08df659a6c7e3f54049518e539e17efd5cc718c805f1cc14cbabd88b9c71330d0ac450b0ddf2b7
-
SSDEEP
98304:T8qPoBhzyaRxcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPeyCxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3059) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2992 mssecsvc.exe 1208 mssecsvc.exe 3064 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 1756 wrote to memory of 696 1756 rundll32.exe 29 PID 696 wrote to memory of 2992 696 rundll32.exe 30 PID 696 wrote to memory of 2992 696 rundll32.exe 30 PID 696 wrote to memory of 2992 696 rundll32.exe 30 PID 696 wrote to memory of 2992 696 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2992 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3064
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD529c9128035380b20a6691573b09f4111
SHA1a8feb5633d3a5133a1e98209d33864f17102a6a9
SHA256b450fe2c830e6463d0d28fe3148a4c31cf0fbde2cf45444ee0548766a1a26bf9
SHA51222f303adcd196ccbae3cf897a79c3bb64b27287d1df3c33a3bc43507313ec33181c8dd97449410bf0b6df06bb91df9bab5a537c5fbe14a46e1ce359bf546b675
-
Filesize
3.4MB
MD5bcd926f16788cec23d44a8ec1a2a1c58
SHA15952fa6e21717718ec8dfaee0be1d873dd130446
SHA2561c4262a369bb4c7f5cb3ac30d3a3e3835b69732827aacccd86d097d697a38d63
SHA5128ea88668230adec33be1b4b713b1ecf7cff0a850557efbdc8920a2974d22001a266fd9fefd562025b81754f49060a1673fac7b778193c767d4c206f3806ce70f