Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a32ad2b83ee36582fc7fde744a807dbc
-
SHA1
ec9a64a97ec7baf868ffd4fbaa5dd125ab840468
-
SHA256
d2893feead9c7ce80858fbdd26b0b82cb5a0eda30368003522d2491367e19e3b
-
SHA512
719cb59b16fb5969cfa1fdcd290f96ff943243fa7a23389ecf34f2715a3bc9265626ebd720bc4994c4d935e2ac0bfa385ff16bdd3e1b4ae18200f666e0c57248
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxW/593R8yAVp2H:d8qPe1Cxcxk3ZAEU/zR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3353) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1512 mssecsvc.exe 2472 mssecsvc.exe 232 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 684 wrote to memory of 2808 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 2808 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 2808 684 rundll32.exe rundll32.exe PID 2808 wrote to memory of 1512 2808 rundll32.exe mssecsvc.exe PID 2808 wrote to memory of 1512 2808 rundll32.exe mssecsvc.exe PID 2808 wrote to memory of 1512 2808 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:232
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD518f1a4479da2737c493df827d50e8e77
SHA1d1b91f100c9291ce996a7156766e54d30914284a
SHA2567da681ac7ff7bef8ff19b57f735c701af9525fc76a89342c6a27f3bda6d4360b
SHA512c85b061fadd293351724abd751c58d6b3ffb9eb9f2d408890231077d40026d8deb8090fc6ff36702860f405d0b124874a8ab6f611b38c8408dd56d865db53b37
-
Filesize
3.4MB
MD58f5ddac43bafb9dd98eb16e41e99b7c6
SHA17ab9d8c5dc1fa43bf73ce80d143126cafc3647fc
SHA2569eac071084c0759883ef3d8d07410231b85f4e2a00e034f2bb904b6b172f0d64
SHA5128d2a5de027582a566984ecc0f77e2312767947341b27cf5a463cf4dda897936a59fb32126966406a4cbd0128239deb53e040f615e2440efa92e51219409d3840