Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f8b1fb9dfd7affb5397d60de882f40f
-
SHA1
a244f82a423578890ad2d2457772dbfeed370f02
-
SHA256
fc655593cfd12dc5d0a6d1c7b683da3c4981d584182385e36ec18df7dc4bf382
-
SHA512
fc21cb592bc67fb9fa85eeb265158b495ee8c491092055e17a88e80d8c4021c1a8781068b1e993802b6813927d38bcfe568bba3e862c66075dd79e82c248b1dc
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWaS5P3z+lcCcu0RCvlsPsWvM7/Yp:d8qPe1Cxcxk3ZAEUaGtjk3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3370) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4148 mssecsvc.exe 3024 mssecsvc.exe 4992 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4820 wrote to memory of 4468 4820 rundll32.exe rundll32.exe PID 4820 wrote to memory of 4468 4820 rundll32.exe rundll32.exe PID 4820 wrote to memory of 4468 4820 rundll32.exe rundll32.exe PID 4468 wrote to memory of 4148 4468 rundll32.exe mssecsvc.exe PID 4468 wrote to memory of 4148 4468 rundll32.exe mssecsvc.exe PID 4468 wrote to memory of 4148 4468 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8b1fb9dfd7affb5397d60de882f40f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4992
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cea30218f594702c70e4a6e15d9e9a78
SHA16b786193150fcf1352f5d8c1cb6195d953656968
SHA2562995189834a208f7cd479a449c70781cd7e8c44dd847f191cde69a4d4cca8f9d
SHA5121df7a3a59193329649659f668c87cb5c08f350139e6b222c719ee2f51c8d0e05d635c0c5acc60feb438ab932cd8e5b0cd7a4cb116f1a11de097c33e732d89446
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57fa453ce95ec282b01d71493d7616ccc
SHA1df52398d959e3a503c42c77b5e1c5701fafe6942
SHA2567ee6d5e894e0e69308dd02f6993c14efc4005c5c31708eaffe4bb1e09634efe2
SHA51221de6f6a4239da9e5fc654d6d87c2a722a69854d7bf233c0882f5c898aa6ce4e771327c600e2013dcc09c2a327c749a9ed1a759834a80c71b54ebc094818e3fb