Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
22fd61e52893c9aec35545c81067f2a6
-
SHA1
d465606dc17e7daa070f79d5ceb27b288a5698d7
-
SHA256
66ddd0edb16bfb041ccfa78e41af074bdf2f9b23eda55e45b54d29eabb1200d4
-
SHA512
aafc64c98775a9f47dfccb0fe06ee7e4f5d12ec2fac4aef6a0f0b6c1250f9906e33c06badc8f8f5bca92e4fc0a8933c80bd673d2dfc2f96e0bb938720ac1c8aa
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvntuwP:d8qPoBhz1aRxcSUDk36SAEdhvnz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3368) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4504 mssecsvc.exe 3412 mssecsvc.exe 4972 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2412 wrote to memory of 2856 2412 rundll32.exe rundll32.exe PID 2412 wrote to memory of 2856 2412 rundll32.exe rundll32.exe PID 2412 wrote to memory of 2856 2412 rundll32.exe rundll32.exe PID 2856 wrote to memory of 4504 2856 rundll32.exe mssecsvc.exe PID 2856 wrote to memory of 4504 2856 rundll32.exe mssecsvc.exe PID 2856 wrote to memory of 4504 2856 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4504 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4972
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fb15c8ad14be000ec5693f13cd9ebc0b
SHA18df067c1fed20c8b355c41e722a3ef2907dcb296
SHA256f4b232df1dd733bbef43ef2b3ddd881d12b0c4a888d343116c0bbc8e41f4ef9a
SHA512e3d9825bcafb35850b6b4d6db5a874e5f0c4fa1e39bfb39f5b9fc11f9696723d65f80e8914f0739f5bca6e33ef16b8e03e91ad096680b400dbce135459cad8cd
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD572bb30f1522073dc153d42422d827dd3
SHA12746fde6c01ab9c36fc19619bca05aa024f55d5c
SHA25633575a9d9dbb3d5024ec7f30ffaa0a50e8c5f318acba559bbc4a7324e4dbfd2b
SHA5121b96f1092dae8c15673b3a322aa41048b646e2a96c27712d228df3728711d411621e46ba12a459e8a343c0401cedb59a2ce457118650786eaf11b6f7c0f07591