Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a43eb0cdd301c00329d39615995a108d
-
SHA1
04ee7ee47bb9b6b54a9b95d594c6cd80e4df87fb
-
SHA256
60abe02f78603cd907bd7e31034b1b075f23484e357171b578b8d2a8c2c7158e
-
SHA512
ec70cb89110800d8dc72c9cb6741110cbb27ef5c4238fedf5671514d3291af74caebe971f2afa5ed716b69c7208b86b4ce52a4fecc0cf2dd79b4596b6f65a48e
-
SSDEEP
98304:+8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y6p2HY:+8qPe1Cxcxk3ZAEUadzR8y64H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1384 mssecsvc.exe 1128 mssecsvc.exe 3524 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4348 wrote to memory of 3596 4348 rundll32.exe rundll32.exe PID 4348 wrote to memory of 3596 4348 rundll32.exe rundll32.exe PID 4348 wrote to memory of 3596 4348 rundll32.exe rundll32.exe PID 3596 wrote to memory of 1384 3596 rundll32.exe mssecsvc.exe PID 3596 wrote to memory of 1384 3596 rundll32.exe mssecsvc.exe PID 3596 wrote to memory of 1384 3596 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1384 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3524
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD583521f8fa20fba83da26de14c38c4951
SHA1fe70f7fc040e903f07e8679a6d6ad926c96e6fde
SHA256bc9a1427e94f65030cb197be5ff83f8f10bfce03e7616913df010939b537549d
SHA512f743544d40403fc16486d348bb73204bb426db0b597d03c60df60a08da6ccb625c26dfa280d321e5617104d01628c3c6f7fe2b287fbeb651c9beec3aa5fd07af
-
Filesize
3.4MB
MD5499a105155b33317db4bee825d56bc19
SHA132f780e081ba667741cec15eb009dbe4c23fd5d7
SHA25660c16580732d0bcec85d11e4afcdde0943c354588eb67dc45f05de161e384020
SHA512a6461ec10a0b76064d1b5f5a243d24c60deabe4c24650b203efaf1ecebac91c9a76a37980211c48f4ce74d41b8112f4b5628ab6f502a1e2412788c84d690ad36