Analysis
-
max time kernel
34s -
max time network
34s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-06-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll
Resource
win11-20240611-en
General
-
Target
a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a5a47a2c7cf5a02d7d12d9881e32c089
-
SHA1
6efc62436c3645956d40f77f1046f971713082e8
-
SHA256
3cb1c3174967cd53f62fc9c507192c54a6558481a8c21649e8b6c223ece829a7
-
SHA512
5cf030316d8236eb809c083c64b604c79b536dc0e8250945ba83968836f95d034d59eb26c3403452b7929677f2f0892da1e4c16fdebfd14ca4c4365ef5426329
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAEAMEcaEau3R:d8qPoBhz1aRxcSUDk36SAE593R
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4652 mssecsvc.exe 4156 mssecsvc.exe 2976 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1832 wrote to memory of 5076 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 5076 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 5076 1832 rundll32.exe rundll32.exe PID 5076 wrote to memory of 4652 5076 rundll32.exe mssecsvc.exe PID 5076 wrote to memory of 4652 5076 rundll32.exe mssecsvc.exe PID 5076 wrote to memory of 4652 5076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4652 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2976
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4156
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5efadee3c4fac2e5773fa9aafdfc41035
SHA1a1514d4060c517f7b823ad95030c5bf3852f0a0a
SHA2568d39318b7ecf23f85b205ef907097b2754372de4278949004ad8b9293267ccae
SHA512823a460eac33692c1fb1fd3fa967e737dbdf8e23826a960a0d7719943f331dbf3ade6738426fe4dbe2b4edac966247e8eb7aac957037700234d2b5228fdd3ef9
-
Filesize
3.4MB
MD55df636c5b0c48d248f8bf1162293fdbc
SHA101ee4d8aedea0528f3b11c366b63bc9f32a95ce9
SHA25643aef931374c4b1b00367c50ded7a594f5153a9c7fcacdcede55c3384e322b74
SHA512237c095a595c6392f41f5f74418c04d3451446887ba1c15bc9c720bf6b9a834fe797883d0ccd629c18732bdadcb2265129cb779409b0c76c96019ef4dfd55471