Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5d998a5df9477d27ee86f973d6830bb7
-
SHA1
15e3b5983a8a9c2cfa20fd36a78729fdaf187423
-
SHA256
00a532ea6e5196b20f5cebefbc4ac60f599e7ff2bfb18bc35ff16747f832d286
-
SHA512
c0352ada233320221de30360e6420dca0c160c1cc18188f07cbac8769c9176e5ceb32a3321df23787aef9630ccf31319df35bd339980c3cc558114a671e57637
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2092 mssecsvc.exe 1968 mssecsvc.exe 932 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1436 wrote to memory of 4344 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 4344 1436 rundll32.exe rundll32.exe PID 1436 wrote to memory of 4344 1436 rundll32.exe rundll32.exe PID 4344 wrote to memory of 2092 4344 rundll32.exe mssecsvc.exe PID 4344 wrote to memory of 2092 4344 rundll32.exe mssecsvc.exe PID 4344 wrote to memory of 2092 4344 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d998a5df9477d27ee86f973d6830bb7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:932
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b470738dc26c68476823320a7ed1ad26
SHA1c925d9146c06a4c326551f9f72dee41311e6e1b0
SHA25693f46b8fc2962f4f1bfa7a27d05e99d1f366c08e7edbbc4a7fe8e06083164a5a
SHA512c2c5849ab9dbb288c03c2b0f0f1d72e60b50c93a301e7b938862671ee8f63e365515ec05ed91b6576bd77a17bb58f395cfe5e636e9141e20887e921adb752c18
-
Filesize
3.4MB
MD5e57ce751035627406f02ca25d01844ed
SHA1150aa6ed9a5016aaad7cedb58912350f96f8b4bd
SHA2560a4affd3a56be457cf12aad2f8f321cf2d7776f77c4deb4788940b32c0bafb55
SHA5122b335bad9ca80ae3c193bd10ece3e83d1821341fc9b595c27286ba3f5148678fb1078a96348a7b7f3d0469b17896fac043331632754773d8b0166f4747c59fe4