Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
7eee0ef140a6b2e9818345521b49d238_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7eee0ef140a6b2e9818345521b49d238_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7eee0ef140a6b2e9818345521b49d238_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7eee0ef140a6b2e9818345521b49d238
-
SHA1
ca4616b808adf5df1c60bf5a885b45c2dd15ba74
-
SHA256
26633440a6fb9b458ec75c1c8a1d21b4f6d557060986427286d4a3919969ed06
-
SHA512
77cb3985bb250dc70c005ba4218108e66172773795fb046092fb1efa3f7d8302ea57f49ff6182ca9baffb923d65aec602ecee10009de7ef6d1764bae713381d0
-
SSDEEP
98304:d8qPoBhz1aRxcSU1ZWa9P593R8yAVp2H:d8qPe1CxcwadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3358) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1088 mssecsvc.exe 396 mssecsvc.exe 1328 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3048 wrote to memory of 2940 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2940 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2940 3048 rundll32.exe rundll32.exe PID 2940 wrote to memory of 1088 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 1088 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 1088 2940 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7eee0ef140a6b2e9818345521b49d238_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7eee0ef140a6b2e9818345521b49d238_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1328
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56f5dacb129d36626f2011188a7eacda1
SHA12437c6979146ef34dd590dd83d228c8aeee35360
SHA2560836cb4ff7126e41caf2228bb9a58ede203f07991bea367c4cbf9c8e887ab1ba
SHA512c297e21803707c96348c1cc258a198b38b47b9b2771727d51bb43875b8c2d9c2d28a3e24711992e04717529017b1e5799e55ac451bcda75c762148c8650056bb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bbd5962cbd3ef7a7b489981b56f3bd40
SHA131e14394d4c98558c1bec3540bde939e68f813bf
SHA256da7ea50b4767c610db8a81d5d514a8191c770bf1433b074b75813de85234fa52
SHA512634cf43ecbd74aabe8e992611065d686ec5db369f9eac80527c67adf3360ae207f8baf78c5d4dd31c36e6725be10501220316ca37085a8927cac56784d444cae