Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
660e3d0835ba930aac57a0590eb0d5c5
-
SHA1
d0a496937233b8fe6bb5b43c1878ec2f3c1049b8
-
SHA256
43501ea65f62d22f6c1b1fd10ea04feefb513f18d05217e5090f001f4180fa9d
-
SHA512
752a4dee87dc749047c53c8a035444e7a88462a0951cf49b6c018b5a3790d955e870074898ddfeb45c205192238d1d54d01bdeee34144f11f409b5eef987368f
-
SSDEEP
12288:ywbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+4F8SNTJYsVr7D:JbLgdeQhfdmMSirYbcMNgefuF8S9r7D
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 636 mssecsvc.exe 3556 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5036 wrote to memory of 1400 5036 rundll32.exe rundll32.exe PID 5036 wrote to memory of 1400 5036 rundll32.exe rundll32.exe PID 5036 wrote to memory of 1400 5036 rundll32.exe rundll32.exe PID 1400 wrote to memory of 636 1400 rundll32.exe mssecsvc.exe PID 1400 wrote to memory of 636 1400 rundll32.exe mssecsvc.exe PID 1400 wrote to memory of 636 1400 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50a1ffc82898ef68b541b9d0ce5dff767
SHA10d0ec380dfeadaeb64cfdcc424021506b4f0fee0
SHA2565578bfd8148ce79ade1dc8844fe9e80439610d155b9373ab4dae6dab56a7da1a
SHA51215c9da4eb702416a6d73f8e51191cf28acde36fec03afb5814231a5cf440b841f8fe14884881d8c311a30a3c0a37985304d51be57f02acfe116f49aa454a5d8b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57e44eed7d5567d9be8d343434d2d748a
SHA1087d40455e951500bb184c25dff8d2d1f8426a6c
SHA256e78c458b296087d851e08c862be60c345124259fed8885aad55462472cdad1ae
SHA5127fdfc423dae73b4cd0698e9692001e2ba15196d4efc815f13ddefbfebe86661e8d5721165feff61e3cbfd06d2d5254db5b5586109444c46eaac61691fb10211b