Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a8bff7f3bafcdc471d9d3e17bc359cf1
-
SHA1
f5202f682f8448f611ca4f93f12a7213677f9e9c
-
SHA256
74456df3eab31876c8b4394635aa541567bcef501516ff92676ec5b475790437
-
SHA512
e940846a5a16dfe5d7d3a8b38b4599b2bb17b79cac5267e54f25c860d2f74cd6f4152276942126f3c88e1d1680f032342441a605f3053f64c6ef300b8b345d2a
-
SSDEEP
98304:T8qPoBhKcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPLcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3359) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1460 mssecsvc.exe 996 mssecsvc.exe 3796 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 728 wrote to memory of 3248 728 rundll32.exe rundll32.exe PID 728 wrote to memory of 3248 728 rundll32.exe rundll32.exe PID 728 wrote to memory of 3248 728 rundll32.exe rundll32.exe PID 3248 wrote to memory of 1460 3248 rundll32.exe mssecsvc.exe PID 3248 wrote to memory of 1460 3248 rundll32.exe mssecsvc.exe PID 3248 wrote to memory of 1460 3248 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1460 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3796
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59d0c5e55fcc131a2b1367e47906d3d07
SHA1e18444fb0d57ff035da202e445dffcf8ad3e1ffa
SHA256a242d6d30d943d2bfddfa65223bcca53760ecfad31a6ae2b630242a999aa8d43
SHA512c63a2fdb193cddd9708da00775be20ef9023f7a4ae120aaa805f4ad306ad55a937b6fab35ad340822dd29249d0cc71d7c8b03e63a540c0fe2b6ad7fb72f2b3ba
-
Filesize
3.4MB
MD5cdebb45bfa5f10b0b831bf9fc498a696
SHA1a2e961203165d923296f14f22142eacebcf22fcf
SHA256afc7b0d1930a26180b40d2fcdd2c84521ac64962736bf5003a91f3afa709a5fc
SHA512da909d418089d60c2f055c77aca29a5d6ce4a9c63c7588c6489c31e6108bf4e5e6a4772808ed0bfc3def938c72a2109c90f00870ce4ca456b388553694b8698c