Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
232569d59a9b2e49c99c142f961e0799
-
SHA1
1e6e1300f462451ec0a1dc2f79a9cc5252f95b83
-
SHA256
cc76131a6fbdd233d2cb6dae93b1fd5883b7a78dda5d7ad859ddb33feeeaac7e
-
SHA512
2448514c6ef5f39c3426ec7bb3e1a38b552051c87f9b788b7154ac25b06d1f13407e48ea5cc637fe6b0201422e681f89d4802287112761794fe74a65d140dc4b
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3244) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4808 mssecsvc.exe 3644 mssecsvc.exe 4992 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4888 wrote to memory of 2732 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 2732 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 2732 4888 rundll32.exe rundll32.exe PID 2732 wrote to memory of 4808 2732 rundll32.exe mssecsvc.exe PID 2732 wrote to memory of 4808 2732 rundll32.exe mssecsvc.exe PID 2732 wrote to memory of 4808 2732 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4808 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4992
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58df8fc447b12bafdbc97d38ccce10736
SHA133d75a40fa2a17a178cba25bc8ec74765b31f993
SHA256cae32f5adf3886d799ea260de2aceca2a83d2e359a5b5dbd40c7fb3fd2c47065
SHA5121b349eea9e5dfec795f07309fdd58e090f825b7305fa18120628167ccfa72ca655c810fd54f6afd852de38b3c2a796dbeea71d5b3ab857ebc326eba6c56f0f32
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56dd6a4d43690e42346e2566448eb7e8b
SHA12a65cb18fd99ccf9f8d18a8128b405309940d98b
SHA256493ec650870429b427b5366d6198e38d2f80f605a8dfb50dd57cc2d05cc31f82
SHA5126f73cf85b5a755a42ddc9674d9e67767125b4ef589be194c443df8e0153f64937b995f0b177f596fb4d4fc1d363a6b5615b951b82b9a46a76b7ba6d09cbbc870