Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f9b9aad8bb1108f11027ad0d7989255
-
SHA1
a10f8db721d73de38223e632f8d08ab624dfaafc
-
SHA256
5c94ef973899d21ac81c5563770ca61e5ff920a342dfb70ba14afb71f41b300b
-
SHA512
eea0cdbdaad27ac5230d8042708fa8ff8c8d7bec5c049703a741358024136a75dc1f96fc398b5d6f3bd9c09b4d9c47e1049e072badbe82258933c845ddb760d4
-
SSDEEP
24576:sbLgdeQhfdmMSirYbcMNgef0QeQ4kRiwKt/8uME7A4kqAH1pNZtA0p+9XEk:snjQqMSPbcBVQeRkRiwK3R8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3327) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2792 mssecsvc.exe 3408 mssecsvc.exe 740 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 848 wrote to memory of 2912 848 rundll32.exe rundll32.exe PID 848 wrote to memory of 2912 848 rundll32.exe rundll32.exe PID 848 wrote to memory of 2912 848 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2792 2912 rundll32.exe mssecsvc.exe PID 2912 wrote to memory of 2792 2912 rundll32.exe mssecsvc.exe PID 2912 wrote to memory of 2792 2912 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2792 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:740
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD54ca4353c3cfbe384e69363b4b7a5dbe2
SHA11df0dd886f513c93b5167cc0754fcef576aca251
SHA256c91593bed9abb9e0865f56f091d01cadeeeccc5f0288cfa516708f08aa2797e6
SHA51263130908660d8815b8a0d3e306429ed6bb34fa30236009751f8289f5f2fc0d6fb1bdacaae6e7158395553ce3e60b6d37460c01e0174d34401533e65c73e849fe
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53d6024b2c052a24a93c276098db1cb66
SHA1cace901d8d4e42c8df146d2a79b5abab452fb9bb
SHA256dd875e666f84d58652b2dd9280002d93b76e307a9ad760dc0eba1be0597449c3
SHA51282a3330f8c3cb2e2a26c67ae85ff3b9ae548149cd31eeb85aefcc818f05483f6b1cebbd7d94d26a52f139e3d792bdb6e73baaab7695ce2d5430d79cce645afce