Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a8c326e0894458b54d3b2f3e3cf53ae5
-
SHA1
b52dceed397066d4dcd63a592e275d3710512b4c
-
SHA256
7f33873f415e0d84c4504705b7d5959845a81c9cf086b08587d4f2699337071b
-
SHA512
02c54ea84212513e5c4974b2128d40d0668605e8f4e1f451891bf554a7695dd3d809ca536aab96d4b5d9b182106de1a34f21dedb13b0dbab4244c2593b99ded6
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3361) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4952 mssecsvc.exe 2684 mssecsvc.exe 2188 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1020 wrote to memory of 3648 1020 rundll32.exe rundll32.exe PID 1020 wrote to memory of 3648 1020 rundll32.exe rundll32.exe PID 1020 wrote to memory of 3648 1020 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4952 3648 rundll32.exe mssecsvc.exe PID 3648 wrote to memory of 4952 3648 rundll32.exe mssecsvc.exe PID 3648 wrote to memory of 4952 3648 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2188
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a8433cf4a2edb88d554bd3eda73bc75d
SHA1e14490bd4d487d1403e970e26249ae971df1d685
SHA25685bbf60d6c77f59de24454f9caa63a73f2ceb542a37bde0b7008807da8d6ccf0
SHA512581968740f31fccad4f273d9163776f84c1e5be06e7e8d0c445b463e42e44c5ab9937bc0d6678c9853629b3adb0dad8927c046fa93dacb7ac75ab11745ca0c67
-
Filesize
3.4MB
MD55786aaa4f672424a419d66f9a65043e9
SHA186b52a09ece20c196e68346da54f85ab0d1d0a2b
SHA2561f1ca962967b9e36dc4080039cfdeaba354b88d7daa0767259d3f2e92b695b22
SHA512d317304be1b09cde275bbb50f04f6c6c39b08b0f215d72cfdbda10a08f04822319e1362a224b03bf45a7c51e18e312091e2cd1cc835f823ac032e98205993cba