Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
320be0fb7b2e0a09dbbdb0f1baaa464c_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
320be0fb7b2e0a09dbbdb0f1baaa464c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
320be0fb7b2e0a09dbbdb0f1baaa464c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
320be0fb7b2e0a09dbbdb0f1baaa464c
-
SHA1
65e4a93f5e21c7ee0838b658f4d4ea91101301f8
-
SHA256
b77665487dd354f83ab68f978f8cc82afa45c8e5083224aa9fbb4d81c4b69f97
-
SHA512
7c28d605258d2660159232bd5882f61e36b469a4456a57b87bf4d7215d8a885fcb102fe79b0829a78fc1937759282cf47271ea30f37d234491a677dc173f437d
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdV593R8yAVp2H:d8qPe1Cxcxk3ZAEbzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4804 mssecsvc.exe 3184 mssecsvc.exe 1944 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1464 wrote to memory of 1192 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1192 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1192 1464 rundll32.exe rundll32.exe PID 1192 wrote to memory of 4804 1192 rundll32.exe mssecsvc.exe PID 1192 wrote to memory of 4804 1192 rundll32.exe mssecsvc.exe PID 1192 wrote to memory of 4804 1192 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\320be0fb7b2e0a09dbbdb0f1baaa464c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\320be0fb7b2e0a09dbbdb0f1baaa464c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4804 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1944
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5185bec96a82edd3681173c67e69c1ecf
SHA133b7bff0bc4aeb8a75b1d47e3246401a1f394430
SHA2561df8314f8b0dee306f0cb7d2ee56013dab11231bdfd67066576cdbe2e208e36d
SHA5128f457c25d40ab606a8e7e5d11c1dbbac4d0b929a077a5469e5abca764d75d752599927af19ffeff909bfe87f9454d0f954213119e5192cc63ae0dfcc3029dbee
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e40839dba564d0fa244ae41fe4e2a1ba
SHA1e34589af147ce299986172445c9eb438a39a82f9
SHA25655078b6ed1ec27c63a63b8f13d8b5403a23c6b94feb438b4238dc9f0c82d4341
SHA5127a5ce8c4115aa1d96b132c8e3710d7c40cd081665437f89e4c6d38f8c7d91c6bffb0a92860d90e8f84387ffb9b18a8851fa604ac55efa55f97e7241e78756c09