Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
935a103be36400df296e44f438467f3c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
935a103be36400df296e44f438467f3c
-
SHA1
c24562cf24a51cb81ecae2b64993602ff93da5af
-
SHA256
6a81d946fdb06e601caa1018b39bc1a513a53e7716a7c1b8824f10fbad72e26c
-
SHA512
f1b11cb0c25f745bf31e5cc225ac7afeb103deed6dab97197bec093a5792a8205f2d052d60485a3654fa5849b713406db72417e90d91f2da4cfdb035e7985478
-
SSDEEP
6144:yE9l9yNqIYVTH5DgSg8ajldktM0XXrs2QhMV9qbBLIwYQuy8DLq1eNVDwUM:ywbLgPluxQhMbaIMu7L5NVM
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3700 mssecsvc.exe 2064 mssecsvc.exe 2164 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2256 wrote to memory of 4976 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 4976 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 4976 2256 rundll32.exe rundll32.exe PID 4976 wrote to memory of 3700 4976 rundll32.exe mssecsvc.exe PID 4976 wrote to memory of 3700 4976 rundll32.exe mssecsvc.exe PID 4976 wrote to memory of 3700 4976 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\935a103be36400df296e44f438467f3c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\935a103be36400df296e44f438467f3c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2164
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD503da1a94d9940babbb24c2f09177e145
SHA140fdb506c7df3e5c95a9e5d6acca2b9cac0aa5e1
SHA256c9a0c495bcee207bab8ff291107141bc2e23a4f5a5102cc24354eaf4009dbbf3
SHA512ea260f5ddcde156ea942698995a9cd00e8def5515f48a76b0a691bc25c760339119197230585c164647ec0d0f94079d5a40aea15398838041f50fc3ec4c39b31
-
Filesize
3.4MB
MD52cfd9967eaf64845781ce70f0dd69ccb
SHA1c9bf80b6af17c54c460e0f77d7520894de91a632
SHA256dd35fc41dd35b399a8e52cb4e12965a4c0d910999a1133ffe95a8cf50bc950ee
SHA51231a82b9837c57029a5008ab5c8b71a379ebb29a7fa646224a6c87fc017163bf23787e23a53b5262ebc76deefb4ac099d83995f0fc17b7ba02afff6251ce14d99