Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
6893182bc20611a90422a8943e255340_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6893182bc20611a90422a8943e255340_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
6893182bc20611a90422a8943e255340_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6893182bc20611a90422a8943e255340
-
SHA1
8fb2cac71bd8ae9f8e669e5f76531f8300974d01
-
SHA256
3f6dd13bf4024fa1d7cd3afd3e92eb34a4a079603f7763bae8671c664f3be81d
-
SHA512
1795535f251dcf16a2f6ed6d7d2248b4aa0a5d4c4bf0b4ae7a6a533d074884f4f98beb6b05685f24c24c556378a315a78adf6586636e8b878b31799b13e1e95c
-
SSDEEP
98304:d8qPoBhz1aRxcSUI1LE6QhDAdZM2cXv9IfrrwLZqlTu5hgb+9qJfuMI74l8BuKG6:d8qPe1CxcS1LB+ELM2c/23MWQCWq1upV
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3361) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3024 mssecsvc.exe 1260 mssecsvc.exe 3744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2992 wrote to memory of 4908 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 4908 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 4908 2992 rundll32.exe rundll32.exe PID 4908 wrote to memory of 3024 4908 rundll32.exe mssecsvc.exe PID 4908 wrote to memory of 3024 4908 rundll32.exe mssecsvc.exe PID 4908 wrote to memory of 3024 4908 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6893182bc20611a90422a8943e255340_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6893182bc20611a90422a8943e255340_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3744
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56dd293636356bc95eeca45be78adc6e9
SHA137a008ed6dcc5baff0f11473a28f6a2f6cd5f00b
SHA2565911e4cc21a86555e8f9217a2a85120ea245b2eb8a7703897b31428539df4088
SHA5125cfb4c9638d1b2f4fe3b5d9bcd9fe63a7f66282dc6306af8ff6d4f5051f00465a28f11ecbd5cafb64f5470417ed9b089b96e543398fb020f2c945e4b55b3330c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a8776fcc7003c58c688793c82c411761
SHA14b2491eb6d0a0aab9dd5eeb34308c31b9a3ef0ef
SHA25693b150a46f9a230c6087de8379c84719b44aac1aeaa640f30a3525ae1049630c
SHA51242d0f9aff76fe6ef7ff65952ef907fae8aa0868d1a2413f491d700491c6872fef64b44ebeeef506edfe4da1d6099a74f13e19a7ea4dd1a946a2e508c0147a77b