Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
f26b46cc433aed4de0582355b4a7c58d_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f26b46cc433aed4de0582355b4a7c58d_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f26b46cc433aed4de0582355b4a7c58d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f26b46cc433aed4de0582355b4a7c58d
-
SHA1
5e4a6a44cb6d7267d258a740795a8b4f379cf53c
-
SHA256
7763b6250f600f368046030fcf8f2b1f859230703aaaf8430af8328a9ef7d15e
-
SHA512
feeedc5a303dee11f7f53c30da88db4a5088b80d7d24b83de70f9d063ffff6098531088df7825799d8b6bdd06dbdeff99d84be58ceccd1a2725a3175cffb0840
-
SSDEEP
24576:JbLgdeQhfdfO6LLuYAMEcpcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:JnjQTAMEcaEau3R8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3287) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2052 mssecsvc.exe 2672 mssecsvc.exe 2552 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 1780 wrote to memory of 3008 1780 rundll32.exe 29 PID 3008 wrote to memory of 2052 3008 rundll32.exe 30 PID 3008 wrote to memory of 2052 3008 rundll32.exe 30 PID 3008 wrote to memory of 2052 3008 rundll32.exe 30 PID 3008 wrote to memory of 2052 3008 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f26b46cc433aed4de0582355b4a7c58d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f26b46cc433aed4de0582355b4a7c58d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2052 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2552
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51135fbfbe829a6856c6d1efe7a295896
SHA16ebaf4c8780d298c4100027f5a7fdcdb6bce3104
SHA2568a06645d0f1a7f9fdf466a6b748ffc2c392d3f757f6eb66932b72ffb3bf61106
SHA512cea7548ff3c4e51a82012338aca2b3d2a8d85b5a600c5cd0a4f57bf307a32a533448d0c19826239e455762ff9afcb4f510fe5869101c000296c7834d3448b66f
-
Filesize
3.4MB
MD5ee358d031d5245343d07adf01a9de91c
SHA1e2898fb0fabfa3c24678cd80464e27a91d690db6
SHA256948bf1408def8719a2afd27a3073321bd58d7ce0454b97f4c6e17f5ffdb5c870
SHA51267933597b87655bd9e94acd0d5c06876eb3cf02e8c25b1a6f83f5b35ba93a1cb4fbe9a97d5e164e549d773497e19b11c413933da02d552af1c600b60d3035fde