Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
72f92b256a78bcd62b59529aa3004398
-
SHA1
c376e6ae79998b7afe09c3898c91e0e818d255d4
-
SHA256
bd236394e3a00363d54a3d1913bfac26fffab2b94086e171b500c9b210e6db95
-
SHA512
92c5f03b07c33b20c9e2d45ba73d36e61d26d6a46c0798de575bb84b6abf09439c50b528b06695b2b5c6d562d0ff23e4688361c640f06e1331fc49c90251adc3
-
SSDEEP
98304:dWqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dWqPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1332 mssecsvc.exe 4488 mssecsvc.exe 3552 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1416 wrote to memory of 832 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 832 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 832 1416 rundll32.exe rundll32.exe PID 832 wrote to memory of 1332 832 rundll32.exe mssecsvc.exe PID 832 wrote to memory of 1332 832 rundll32.exe mssecsvc.exe PID 832 wrote to memory of 1332 832 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:832 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1332 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3552
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:81⤵PID:4724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5eb6af116d16be6353892c07b45a24d70
SHA18ffc55c0726f852c308049d7e2fa2aaa439381fc
SHA256265559b912eab6b0048d1fdd9d5b236cbdd1bc3840987394e460fed09421920f
SHA512422a77bb3df89606a0300afa04c2d58d97c45006eeea4e2e178a170c5ca6419773e7a9ddf51120c0ef9bb4ba9d8c30548efaabd563b68117c4dbf5ffc7bd4660
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7