Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:40
Static task
static1
Behavioral task
behavioral1
Sample
5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5bda624e072d09feb07b433b013f3410
-
SHA1
b23db4c3a35942595b86a685a1ab4cfae5f51c41
-
SHA256
2bad1462af5db857fe3409fef6624775996b98809a173b8eebe6d48975e8e163
-
SHA512
dd8331004820f823d990f311d30013a5b8db3ffbadded146ef79b2ed695efbdbdf429544a64ae7dfbe4afe0fe67a00921f348466585591d399788efcec18244f
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHEubWAMEcSAH:d8qPoBhz1aRxcSUDk36SAEdhkubW5ZH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3234) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2660 mssecsvc.exe 2600 mssecsvc.exe 3136 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1492 wrote to memory of 3368 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 3368 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 3368 1492 rundll32.exe rundll32.exe PID 3368 wrote to memory of 2660 3368 rundll32.exe mssecsvc.exe PID 3368 wrote to memory of 2660 3368 rundll32.exe mssecsvc.exe PID 3368 wrote to memory of 2660 3368 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3136
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cf0c5b9bdc306dfe29b27e3ba1abc4e6
SHA1a25405a5b88ddc278a07a172c7a1bd051ca357e6
SHA25642680d0b5bda082277ca410053cdc3dabeb2c2e48df8079b64a0360394be65e2
SHA512bb0f050bdf5f8accb128938a5247b27e2cb0f91c8fa4ceb8adc812a1e97e7ce0a1bfa2626464b50ffa2ef81b2d164d7a516ef8e571aaadf2f81dbf529b4957e1
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD541855d9f1538912eb5ffb379b1a12dc3
SHA146716ab4f8aabe12221fb6d8a54ad9621988ba10
SHA2561279fba98caa2e4381e7566c9c64cf8ccea788943802edebe2cdd3976d23c1c0
SHA51283863d3bc2bef9a5eab8405ddfdf663714dbfaea83840a1723a30e0539ae1bffac904c69468cb1fd79da4d8a1eb0e00ff86d071797aefad39c4fe13e871f8198