Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 19:48
Static task
static1
Behavioral task
behavioral1
Sample
9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9f562cee6b7ce2a42243c7550636e2a0
-
SHA1
3f0fcf9735a0c83a62653518b88d06f64923f8c3
-
SHA256
c7fb3930cb8e54333ea87e9191b21497f8975567bd18b0a6a24e5fb759c6e186
-
SHA512
4808d1434e0ef26165710f0ec4d99d25bd4c71cb5404e96fee7a8145723a93a0268bcd63e5cd012cb02645b030a68366952d63c25ad1815a6796e0361c9f2ad1
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdh9YoT3R8yAVp2H:d8qPe1Cxcxk3ZAEtR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3383) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1412 mssecsvc.exe 3436 mssecsvc.exe 1048 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5084 wrote to memory of 2396 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 2396 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 2396 5084 rundll32.exe rundll32.exe PID 2396 wrote to memory of 1412 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 1412 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 1412 2396 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1048
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54c758dd1b8c4ffb04a4d9b6d20ca6328
SHA1985a7cd2b3a4b32e2cf5e1c23df915200ad47009
SHA2568b956dd7cdf4f2039844dea4f0a3b92df3dd3c6e00ad073a89c045bb01a6b2fd
SHA5122478c94b1b336c17958b98d29fdf0b12a25b9e62c0ef6ba9afdaf24a77be76886f6ea76e97c3570b8e2c89f85b7932ade285597717363952643da24650cd56f5
-
Filesize
3.4MB
MD55962a1fe4ec3fb34d4c6bc7329e4c952
SHA1af7a0dddd89dcc4606d0b3ebc63f3a8d38e2364e
SHA256d5980f65091e778a3fb5c3100c1291988b3a9798304608ca4fef62f701034e45
SHA512fce794473bef6939038ae9c4f03d06416d56bf794343805fc7a30d345105d86df54c045652472ade0701444e784dd3f485239d822d22ff43ce4e6e3055598712