Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1391981dda18f636a0ec142d2f85079d
-
SHA1
8330f801ca548a037879e0b75447ac3496932810
-
SHA256
25569625a36ca72014b551e8aff1cc163239b4766a434c3bcbfc5bb97cf8dbb1
-
SHA512
909a025c2cac752c369e20706483786273786a2dc78a9d1928457c51ff9dfd32cb7e4374b993af8dc049556b3d1f217cfcec3751af5b1af4c4d361e3bfea210e
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAfAH:d8qPoBhz1aRxcSUDk36SADH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3231) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1484 mssecsvc.exe 5072 mssecsvc.exe 5212 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5188 wrote to memory of 5272 5188 rundll32.exe rundll32.exe PID 5188 wrote to memory of 5272 5188 rundll32.exe rundll32.exe PID 5188 wrote to memory of 5272 5188 rundll32.exe rundll32.exe PID 5272 wrote to memory of 1484 5272 rundll32.exe mssecsvc.exe PID 5272 wrote to memory of 1484 5272 rundll32.exe mssecsvc.exe PID 5272 wrote to memory of 1484 5272 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5272 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1484 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5212
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:5072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5eb0f59bbbee4e1195509874301b9200c
SHA1468e55701ecf64d01c05c9fa7470f0f5a4ef294c
SHA256f32919594061cd2664173e51e23ebe4134675d7350359a50a3fac1fa38716c8e
SHA5122882e530c42bd7497763c0e5c7b89387c7f2bbdcfe7551b9811308e604cbd9f085a6bb330c452a7b385bf7e206afbbf8baf9a03c40e53213fdecc1113919054b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD546a0ffe690dbef1ad9290eae3442e2cc
SHA1402f07250ef7df1ef336bb06b3f9c65318405b7c
SHA25666460333375e11582774e0e06189e6c237f7635c2decf33f95b28c0066309ed4
SHA512e378b904d807c5d8eb459335d160bef231fa57aeb43211bf80a5d9aa67db7d6446f5d400defdb92230e7a61239a464fdff200c83188e9f79cd389c00a915f2c0