Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8ff4c53b72021149d0442cb3d907c695
-
SHA1
a70fb448efbb68d52aae383e328a9782f76908c9
-
SHA256
31e89065c103ffa60d36c9893758698db7128ca994b2ea1caa1062167c781d50
-
SHA512
1b31c81ebfd862bf942043fbe06374069b73eb48874839365b3f467a7ff442ace565fddbb34d4dc1494e63fcb15751be959bd5b1c95f86b0fb21337e4bde2b5e
-
SSDEEP
98304:+8qPoBhz1aRxcSUDk36SAEdhi593R8yAVp2:+8qPe1Cxcxk3ZAEezR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3236) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1528 mssecsvc.exe 4188 mssecsvc.exe 2256 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4196 wrote to memory of 1036 4196 rundll32.exe rundll32.exe PID 4196 wrote to memory of 1036 4196 rundll32.exe rundll32.exe PID 4196 wrote to memory of 1036 4196 rundll32.exe rundll32.exe PID 1036 wrote to memory of 1528 1036 rundll32.exe mssecsvc.exe PID 1036 wrote to memory of 1528 1036 rundll32.exe mssecsvc.exe PID 1036 wrote to memory of 1528 1036 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2256
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51e18eb4a7a7de5dbd7b7460983d1cfa5
SHA1344b5cb7fd698ef361a19c1ae59d085b0428b224
SHA256d6a2adaa0d5959f73ab917e647b151706ad6475dd0add6002ca0aefb847ce3a4
SHA5129b50bfd30e5d33cfb61a87ab62649a1c32477c273d1f6cc872e09bd7e3857533bef21406c17765711a6fdb37391d9982f6b2583b1c74fa032fa6769d71e60aca
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD554dbf7d30ffedef6b7cec3645d3011f7
SHA1dd36a1f6e883a40663672458f3fc4f7fb1a83b08
SHA25664541d799bc7fa4f03d5fc8dd9c67ed77bfc4c39e88afea88c077635d13c6a0e
SHA512860a47ed2dba0297c3aa3701145109a06d39cc412bcab0570f85db0e644c588a0cb0d5325f7f69005dad7af3e41a4682521eed59d1298c93b95190b3e4133ac3