Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
11e240d70f2e38cecfba1799d8046678
-
SHA1
33b54e5eebec3eab8fa7159015984306fd53c8cb
-
SHA256
d3d6fe7d340bfb8fdaa8be94c959099d860ea3c745ce3a15ac5c21078accc41e
-
SHA512
7b83a0570ee1ec3b11cd1d0bc4ffe14ccf8657fb3a37871be47307a69214cfdbf4920ba05b2cce1d7819609160e177a3db3662f8b3a7b8a3ac04350bcd3d0a32
-
SSDEEP
98304:d8qPoBhz1aRxcSUDkydhvxWa9P593R8yAVp2H:d8qPe1CxcxkyUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3395) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3664 mssecsvc.exe 1828 mssecsvc.exe 1960 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3248 wrote to memory of 2280 3248 rundll32.exe rundll32.exe PID 3248 wrote to memory of 2280 3248 rundll32.exe rundll32.exe PID 3248 wrote to memory of 2280 3248 rundll32.exe rundll32.exe PID 2280 wrote to memory of 3664 2280 rundll32.exe mssecsvc.exe PID 2280 wrote to memory of 3664 2280 rundll32.exe mssecsvc.exe PID 2280 wrote to memory of 3664 2280 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3664 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1960
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56edc22d530ba8a8c3de87400d1a3c762
SHA183975a8e5718eb954ccba19f497a16c75c361cea
SHA256ed59f9f12b99554ead96ba5351f9413654526e6d67c54594fa051d61bd53cd12
SHA512ce8eb2fb1d557101a9c16a6b52eedc18ffb30d34cef10f5e2c3cd5d740ac4a9e794f4446efedfff9f22a9cd1a715d0f7457f7284554c8d61d350aaa530d9ef4f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5407207ed2f91fcc504c3c872020debba
SHA17d493a63fe1ab5ac8102a2c54130115b4f3ffa4b
SHA256ab6d965875faa63059f57ae3772f92935bf360ae681a009cac240f05020d0617
SHA51218be7d0ca0dc4f4f78bbc2e330802f624eae9ea3e47f23be9d1b6387631ae31d99155659a5256501e5ce68ad7ed5a6baa41115ddc00f77f7a906402779fd1d32