Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e8b3ad3133f8f083db28728532d93dd9
-
SHA1
71419f783196470966dfcb94d371650ae160194e
-
SHA256
978ec74d468d7d806d2118776d9df32953ff6a933c5ed5603f083013e5c40a3d
-
SHA512
9b2195cdcfec2657ba16099adc85b3c1d1765d1f581dab31b58769d418f3c7e27e97364b9a271a065a23b4035f904e1fc042a806081dacdaf1ee809b2ba82a78
-
SSDEEP
49152:SnjQcMSPbcBVQej/1INRx+TSqTdX1HkQo6:+8cPoBhz1aRxcSUDk36
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3239) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2416 mssecsvc.exe 2816 mssecsvc.exe 2420 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2656 wrote to memory of 2416 2656 rundll32.exe 31 PID 2656 wrote to memory of 2416 2656 rundll32.exe 31 PID 2656 wrote to memory of 2416 2656 rundll32.exe 31 PID 2656 wrote to memory of 2416 2656 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2416 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2420
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d78007d1a7b065c7f3a78b0a0355f533
SHA1141cc2201ba092854000c1f74373891e981d7be7
SHA2563a87b66494925605c6d1f88eea0b6a06e8eb97ba5235d881a9ba56df517fd368
SHA51253044a5de4d09a35d9e8c79cb0cd9be2cb0a508505d51881e263fd8ddac9f7aa9e9af76bd51cf84eb2aa9dbadac274aa9c4f844f6f6d50988cce4c1a0c5f3f57
-
Filesize
3.4MB
MD56dec970a6a6ae01181732d6910892837
SHA1027fd2e6150c13755014b4f37b26940b57cb91f8
SHA256a73a81334f15ad3c08a5913f67fc5d990539e363bf041e112f35b413717a4a54
SHA5126088fbabe4855588134cbfcdb611a324d437c1120bb2a05c3ba60cc83cf1aae90846c132d0a84d7ff4987a2e902f5c1f900de5ea8286c27ed8417f7fe542c3d1