Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
23b42e30bcbbc5649f189525a02758cf
-
SHA1
07a54b3c3a3df399ace3f557423b5ca539a4a91b
-
SHA256
571e7603ef71138aa1423e6d7e0111c7efaf54a9844471638d899e124db888de
-
SHA512
19ba831999a89a0aeb0ea3872842d51cf52e15032376c5135c5f51a8334f2c4c82a3811c9a2305e3d476eb7976ec317d89c53f7491dd4ecf230394aead38f112
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5UBr:d8qPe1Cxcxk3ZAEUaduBr
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3378) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2632 mssecsvc.exe 2332 mssecsvc.exe 1248 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3612 wrote to memory of 2804 3612 rundll32.exe rundll32.exe PID 3612 wrote to memory of 2804 3612 rundll32.exe rundll32.exe PID 3612 wrote to memory of 2804 3612 rundll32.exe rundll32.exe PID 2804 wrote to memory of 2632 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 2632 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 2632 2804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1248
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58181f137453e486e8841935ceac4cc97
SHA16b4558b59f241a8b6445c018c3a71930bf2d2061
SHA256e54f60f3f6abbf3b06b8bb927755ac423cf9056f15bfa9360d930dd8fe595c2a
SHA51288181c13e350db3eb9d24b148c7b50d446fde5f130b6e58b011540b3f37d1613827def20cc8559fe0fe562b8b7bc6288006a1052bafb1bc88523951d3c5468cf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a1be493d471589a611dab412b7bf6bc8
SHA121ff7b7cfbf13c840cea55036b07b101e6f2b52b
SHA256269d8bb792deccb011db69d1a774fc2f3e87db2772aaa16405239db03b2cd726
SHA512648ea37ce1e7225a9164696d8bbd9f245196186885a214c3cc5a7b147bed55701ec2244b8a97dfefc3321d8ae25c379e84fcc6b67a0f868078d3c2a9aed00fd6