Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
172742bfe2982aa15c60569e5b217e75_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
172742bfe2982aa15c60569e5b217e75_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
172742bfe2982aa15c60569e5b217e75_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
172742bfe2982aa15c60569e5b217e75
-
SHA1
d2a6feb2d79cedb9bf26ed1b72317fd716a3fa43
-
SHA256
3d0383c4f3c46f9ff9b0db3a526426d8fabbbd7ec2c473e6d4a6d859c3e612f2
-
SHA512
d4bf8c37e3db498459359e67fb84e72883e06d8a925e6a0fef7a7b44f3cc12b172fda9253f38061b1cb5c9b108929811b0426d0a6297a6cec48cdfdd1ea6d7c5
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAw2:d8qPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5068 mssecsvc.exe 4148 mssecsvc.exe 4172 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4872 wrote to memory of 2308 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2308 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2308 4872 rundll32.exe rundll32.exe PID 2308 wrote to memory of 5068 2308 rundll32.exe mssecsvc.exe PID 2308 wrote to memory of 5068 2308 rundll32.exe mssecsvc.exe PID 2308 wrote to memory of 5068 2308 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\172742bfe2982aa15c60569e5b217e75_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\172742bfe2982aa15c60569e5b217e75_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4172
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55da581b5248ef51f23e378474f430028
SHA115b2470540efa1d8e18e6a324b46c6c969703b79
SHA256993e95a63073362991f1532c7cada7a0f35d647dd795dc44a0dd54bcc6c5cb06
SHA5125f58a5451d75829b2ea890ce0ba2fd3869ced4c42fdfa592e0b9a7e627c622a45e200dcee4d2e24e27de3f9c3e0a19ddbf7d8d9d6cd0f7254d3a670c84a44f46
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD590938407c8be94d5c44223a758a76a76
SHA135a1d87f9b7806bb48076e9d06ebda7d8f3af3c2
SHA256c14b363c8649574b0d23cea2c64c29cfabfb3bfe60f16728eb18ea622bde8706
SHA51218604214eecabb998d4f40915dca5d38f86abe63a73c40b20fef4d6f6420dae1c056da00330773ad99baafc88a306da88770bb263f4958e3e13e06e6bacc18d4