Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
7f6d93e9834b0aaf7cee7730a74911da_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7f6d93e9834b0aaf7cee7730a74911da_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
7f6d93e9834b0aaf7cee7730a74911da_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f6d93e9834b0aaf7cee7730a74911da
-
SHA1
f0c9ea2fb89acc331b1a54ef1034bed8b3200fd0
-
SHA256
7160df3b9435eab5e5cc458250447dd2e02277b44df34f2fefeae59eba93d657
-
SHA512
2f62cfc9b67a756214578899a3290bcb59c491a1f3e3f52e73444a2c94781d4fdc515cd625309fb58d303b6734041d1bc642aa40969ddb324920c1d4524f9d2a
-
SSDEEP
49152:JnjQqMSPbcBVQej/dINRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:d8qPoBhzdaRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 388 mssecsvc.exe 4616 mssecsvc.exe 544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2528 wrote to memory of 1152 2528 rundll32.exe rundll32.exe PID 2528 wrote to memory of 1152 2528 rundll32.exe rundll32.exe PID 2528 wrote to memory of 1152 2528 rundll32.exe rundll32.exe PID 1152 wrote to memory of 388 1152 rundll32.exe mssecsvc.exe PID 1152 wrote to memory of 388 1152 rundll32.exe mssecsvc.exe PID 1152 wrote to memory of 388 1152 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f6d93e9834b0aaf7cee7730a74911da_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f6d93e9834b0aaf7cee7730a74911da_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:388 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:544
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54a318dde3f6fd8e29a4fc081d6e5d036
SHA12c92f88ff06ab59fdf555d51bce8932619154d40
SHA2564271161dec448725d7cf12ff4fe2dad5d2523e2b744ba883ae0f7bd2c28bdc0f
SHA5122c05852cfac4ea166f3ce0c3e63945b24593fa88d8a301748644420869998682bbd85adec0ff71d8959b820f5af495268e1c5914e4a2a24e768af08855745003
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5124c8169db86fd0a69627ef027413b21
SHA1442a9bc215b4d5aa8736587b7472ed161322943d
SHA25659037cfa76bfc4e0cc8965596f0f3e4ca86a5940ec0537b86c6ceeffd7e687b7
SHA512d0cbbff0fd4f67564b86f1ae1c75ccafed4c5573ab5ed1b5655453dad5913af95d149ed41441cbcb61e9da4ed5799813b4a8f7592c993ab370b737efc21de095