Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5e997736a950b255b74def5a7090a310_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5e997736a950b255b74def5a7090a310
-
SHA1
01d77af04ac36e556b8638314687ba24a09063d1
-
SHA256
1cb50e49a995d7b5fbc68ce0ad7c9c3f2a01d31e554ecd64d8a51f7511218fb5
-
SHA512
ed22894452f2277fb9f2a38049bfbfbbb9093a21dd4303a52e087a8b8ef65832ee211c080e93d82c3319578547ec35e59159a34128e5f981a3ca26eb968fe539
-
SSDEEP
98304:d8qpz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qB1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3062) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4328 mssecsvc.exe 3932 mssecsvc.exe 3804 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 736 wrote to memory of 3252 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 3252 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 3252 736 rundll32.exe rundll32.exe PID 3252 wrote to memory of 4328 3252 rundll32.exe mssecsvc.exe PID 3252 wrote to memory of 4328 3252 rundll32.exe mssecsvc.exe PID 3252 wrote to memory of 4328 3252 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e997736a950b255b74def5a7090a310_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e997736a950b255b74def5a7090a310_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4328 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3804
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a8ec421a7a0102eba7f116fb05a693b7
SHA19c8dd4295920870267037552b630be8a58c33d78
SHA256277b166ce953a8126678354e7588e9437b3ac8863737334822c99b5719019f84
SHA512bd5f30c1eb2d7184ea71428448218848460e66f44d7a0a19b3c2f1c258b3772b6ff9a2886afcc4dbf29cd7382ec2da1913576a72c73f92b47dd39d5f08709e74
-
Filesize
3.4MB
MD5e5792ea0c32a7f959dff01c4a4a81d4e
SHA14e87d246e6b9c0c273af2dcbbc8187e6fbe17969
SHA2564b5b2fd5c9c0720571b6d4a771b49f6ecadc2af1936b2addfd4bafd266dc989f
SHA512b8689cbc8c8006f26e23a37c9fda950829a3794f7b5e7c9fdcb09cead87d4c460d8b5144da31ab92ed207db008968edaa6e2b8aee2621399ba7db4c9d3023cf5