Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f2b958453fa551353642768a3aab1345
-
SHA1
f1d6fe7fd51a44984134054c57a0279a9ea9d4b4
-
SHA256
5b0385084a77525ca7c0a80e476f6f7d51080690fbc6265a8d4f1e2bfda2a4db
-
SHA512
313ee95f1d7d05a36c9b2cf162e3fff608183dcd04d98f50ad6a8b10189f081e3d870198bd488d80a51d2533732f3ba3249e3c7083e368807db64a7a62e549bb
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:d8qPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1196 mssecsvc.exe 2648 mssecsvc.exe 2544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 1564 wrote to memory of 3036 1564 rundll32.exe 29 PID 3036 wrote to memory of 1196 3036 rundll32.exe 30 PID 3036 wrote to memory of 1196 3036 rundll32.exe 30 PID 3036 wrote to memory of 1196 3036 rundll32.exe 30 PID 3036 wrote to memory of 1196 3036 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b958453fa551353642768a3aab1345_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b958453fa551353642768a3aab1345_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1196 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2544
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD507c6159b5f6a45c05d2e278fd52e1b9a
SHA1c7094c745a566412429ac5a2f4d3ec5e4519e4d9
SHA256765719492b2af8d52598956f218b4fb4ebbb74652e9448ed3926e4ab53c8f7de
SHA512715248a79565487936b9c71fe463ceb2dc4a3e1016fcf17fc0485cf151848164b5d8cba8dac4539c5df5dd4b4593343d9cb225531e4856589d8ae563ee093b1f
-
Filesize
3.4MB
MD544d27e70605a2ded2803ca6319c93fb9
SHA18fcd27048fde2d49c6e351107233a912d5ce6cce
SHA256076d473f2b82d6e98b33653f4aeda9ca15494c2fd6f00088f6d90e8b5c15994f
SHA51292cd25d19a95bedbb0f804c11ad3e9539dafab0f9f6cc3aad5b60690a16fb182594d12be75eead3746d385885a354462740321d0e17ca3d7d19cb5d16bfbcd18