Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
831e8a827985b4e3eb991495cbedb297_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
831e8a827985b4e3eb991495cbedb297_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
831e8a827985b4e3eb991495cbedb297_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
831e8a827985b4e3eb991495cbedb297
-
SHA1
634ff381e971e3a6793f08eea39cfdeedee9b3de
-
SHA256
7e1df58e6f7f3f3fd062815a0a4e77e96f9d537846a81d7a29e6e5481fc3b13e
-
SHA512
cb28fd78474622c6f971bdb3e823e2f63881056ee5c6b5a990dd611953fdf3ed8d151ca359096b2dce2269190458574c97257e8476b0a6fccb010487a4177e91
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5wk2H:d8qPe1Cxcxk3ZAEUadKH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3262) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3672 mssecsvc.exe 3232 mssecsvc.exe 3892 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 232 wrote to memory of 3672 232 rundll32.exe mssecsvc.exe PID 232 wrote to memory of 3672 232 rundll32.exe mssecsvc.exe PID 232 wrote to memory of 3672 232 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\831e8a827985b4e3eb991495cbedb297_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\831e8a827985b4e3eb991495cbedb297_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:232 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3672 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3892
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ba663508bd1193d3b3fb2ce1ee47cc08
SHA19010efe55f18acee34e542e425980c609168efec
SHA256b6fe5482ec4e435cf17d4d75df349aa5c940758578db947bbfaa87e9d181bbf8
SHA512795ece04d98012cd345cf3cf576ca1126bb62db40973b4288a0c2818f73465f6f47043a1cab389105b1d9d049a609a13dda48e286cd445c0a29a0511dd003f52
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51e0a94ada52111f6e7be8e2500ccfc38
SHA17553af1252cc2b76c77a573052be13afae77a169
SHA2566fd793a20636b1c8fbbb2da3d4482028ac4dd6d7dbc91aa4f8e2717d4b83a85f
SHA5120e752410b0af3c7ef8e6a11f1b96176c3c672618a3c07bcce7d4e466b7fa6a729d40d112ac7801267dc3230a82ec5dd5f36a0ad6547defed7f249ed65b0585d6