Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 06:20

General

  • Target

    5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5d998a5df9477d27ee86f973d6830bb7

  • SHA1

    15e3b5983a8a9c2cfa20fd36a78729fdaf187423

  • SHA256

    00a532ea6e5196b20f5cebefbc4ac60f599e7ff2bfb18bc35ff16747f832d286

  • SHA512

    c0352ada233320221de30360e6420dca0c160c1cc18188f07cbac8769c9176e5ceb32a3321df23787aef9630ccf31319df35bd339980c3cc558114a671e57637

  • SSDEEP

    49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3191) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2092
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:932
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    b470738dc26c68476823320a7ed1ad26

    SHA1

    c925d9146c06a4c326551f9f72dee41311e6e1b0

    SHA256

    93f46b8fc2962f4f1bfa7a27d05e99d1f366c08e7edbbc4a7fe8e06083164a5a

    SHA512

    c2c5849ab9dbb288c03c2b0f0f1d72e60b50c93a301e7b938862671ee8f63e365515ec05ed91b6576bd77a17bb58f395cfe5e636e9141e20887e921adb752c18

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e57ce751035627406f02ca25d01844ed

    SHA1

    150aa6ed9a5016aaad7cedb58912350f96f8b4bd

    SHA256

    0a4affd3a56be457cf12aad2f8f321cf2d7776f77c4deb4788940b32c0bafb55

    SHA512

    2b335bad9ca80ae3c193bd10ece3e83d1821341fc9b595c27286ba3f5148678fb1078a96348a7b7f3d0469b17896fac043331632754773d8b0166f4747c59fe4