Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:53
Static task
static1
Behavioral task
behavioral1
Sample
6a41440d8497605a379b20f36a9ae796_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a41440d8497605a379b20f36a9ae796_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
6a41440d8497605a379b20f36a9ae796_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6a41440d8497605a379b20f36a9ae796
-
SHA1
fc0ff118a6e5c27c077aeb70eb6469ac4e7a8f2b
-
SHA256
05b516f148b27d305ea56071e3f468769cde81fff1ba70961b464cd5823a5d3e
-
SHA512
10b4b81379e79139a7bfde342109c4139327352c56128b110b8eb90c67891c62a01261925a42925b4d2e0fcb568897a7154c31132eca9f976fa1773ada155346
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5+:d8qPe1Cxcxk3ZAEUadI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2747) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5084 mssecsvc.exe 892 mssecsvc.exe 3064 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4784 wrote to memory of 3364 4784 rundll32.exe rundll32.exe PID 4784 wrote to memory of 3364 4784 rundll32.exe rundll32.exe PID 4784 wrote to memory of 3364 4784 rundll32.exe rundll32.exe PID 3364 wrote to memory of 5084 3364 rundll32.exe mssecsvc.exe PID 3364 wrote to memory of 5084 3364 rundll32.exe mssecsvc.exe PID 3364 wrote to memory of 5084 3364 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a41440d8497605a379b20f36a9ae796_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a41440d8497605a379b20f36a9ae796_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5084 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3064
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56c2e24aa16359e51b83f4d6722b0c2e2
SHA147db1cbb8e72a356196b2af529ba0db855a06dd8
SHA2562d9eca00fa581dcd844200a53fc78110e53c9aa57e638ace20cc8d7f41388f83
SHA5124dbf020236a18462da7b70c44a6db7fdba40e032611accfba8d875c32244791dc57a978b3e7ebac8c32d3dd5a7f897f2e4fe0efb0bf2447722cbcb3ce37b9338
-
Filesize
3.4MB
MD52786d31804c1dddae21102a23c6ca315
SHA168a86429e5a7c2e1efca80965ad6bc60e730c52b
SHA256c94f2d6d9396b5b76c54078d5c7a6d22cf86ee6f3371e3cd4645788477e5d1b3
SHA512baf0a7aa9b6895b79757d369d77506e3abaeec13a800b3ca6abf9ad527a463be9f7cefcd3ae3fc32b93fb2cad205ba6fc8f82cce9d7454d3a4a38fb6cb351586