Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
926f3cd8824b8c54a03535c2a84b2ab7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
926f3cd8824b8c54a03535c2a84b2ab7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
926f3cd8824b8c54a03535c2a84b2ab7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
926f3cd8824b8c54a03535c2a84b2ab7
-
SHA1
ad851086b2f99d366fa81c2933450ac88970a8c1
-
SHA256
f48583b02557fd2b1cea800f78feefedb5c8a55407e3d47ccdcb0795972d656e
-
SHA512
8682f734a216fdc607ee2a8fdd70abe310db6c6b90e4b90d7c175c182631d7815095e0f4e5af4c49adee9c9ef39102e621d4e0ad93612a9063556ea2aa7447b4
-
SSDEEP
98304:+8qPoBhz1aRxcSUDk36SAvxWa9s3R8yAVp2H:+8qPe1Cxcxk3ZAYakR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3528 mssecsvc.exe 1756 mssecsvc.exe 1852 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4820 wrote to memory of 1516 4820 rundll32.exe rundll32.exe PID 4820 wrote to memory of 1516 4820 rundll32.exe rundll32.exe PID 4820 wrote to memory of 1516 4820 rundll32.exe rundll32.exe PID 1516 wrote to memory of 3528 1516 rundll32.exe mssecsvc.exe PID 1516 wrote to memory of 3528 1516 rundll32.exe mssecsvc.exe PID 1516 wrote to memory of 3528 1516 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\926f3cd8824b8c54a03535c2a84b2ab7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\926f3cd8824b8c54a03535c2a84b2ab7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3528 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1852
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d7f304f00423af6e72265bd4dda5bc9b
SHA1ed7bb35e7a726dd2dbc48dc63e77a9650973ea9e
SHA2561ffa214b95f9e985a59bfe161dfd157b3be206080d7d0109356a56a665aef865
SHA512aa5f3b99bf989228116172289c67ecb970bdcacdc0d563044832fd3bef39410143b72e1801210bf52a25cdbd26985d5a7719bef0d48ce8fdf8487481ed36e86a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5635212243c6088aa3a61841a30c45a51
SHA1295965d036c7432770b52581ac170934245aa1a9
SHA25656275a34e70f74bb2db6708acd3765a421a0b6dcbdd44a02319bcb585556d20f
SHA512bcdc3f9577aa7df151154f9e2bcded69cf852cc7ef5b2a78ecb50828c26b73df83b757d561bfd88e7bc62603c68f27bc3b44df9baf06acabedc25f3886609a9a