Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a04d986a0899f529974a08c1cc9cbe0f
-
SHA1
eb3dbdc562a258b91447cc3bb335bc8bf2d98328
-
SHA256
6eac3a90343df429a921c57f01fd709f73318c354e34354d2f0da528d14a0d17
-
SHA512
5321ba00cdaf782a89738655271f523da02b92edb74aa553c16b989f8f62634fd7d42d95742b21c481f611c39fb619ceec017cacc6266974c39039433d4a0b1c
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk8xWa9P593R8yAVp2H:d8qPe1Cxcxk/adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 692 mssecsvc.exe 3788 mssecsvc.exe 456 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4200 wrote to memory of 1856 4200 rundll32.exe rundll32.exe PID 4200 wrote to memory of 1856 4200 rundll32.exe rundll32.exe PID 4200 wrote to memory of 1856 4200 rundll32.exe rundll32.exe PID 1856 wrote to memory of 692 1856 rundll32.exe mssecsvc.exe PID 1856 wrote to memory of 692 1856 rundll32.exe mssecsvc.exe PID 1856 wrote to memory of 692 1856 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:456
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD577f4e2778a294a34161dc078a8c2fa81
SHA11f05c7ba089b9e68e9b8e74baf8827f855d1fb80
SHA256f65142341c15fd7329bc4019d4b31653adcfdaaf979a00cf5726bd79a728832b
SHA512a1e22c94a1b949ba5943846a2e8cef6343f2a0cebc93c5ca0b98b359a4ee5889451712a52f9262c3a2ea6acdeeaa7b3e472bb43074e713a357cef9d476c9e98d
-
Filesize
3.4MB
MD52e762ef70aad2f4a815a6a2fd62719cd
SHA1f7daacadba17699472008b2d174ef4541d915de0
SHA25690fe60c3efb4bcf6297350d3bda6c86dfa0bfc98df8df0bbf04f02ecd83accd6
SHA51299732c371d1963a4eb3f731e8d269434f55ff9096520ac28fbd24db65af1ee6eef0135ee8c5b80b8678f16d8b86d6ad37ce69db678fb25c405e5e938ea45ae9d