Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
aadbf0d70f1b01b3af63020e0c22ecfb
-
SHA1
1fe092595535e28ade660c16c8a11b5bdebe23eb
-
SHA256
9b28253bb682bba95e21029b662950e431d89ff35c5ab4c824d8d94f05bf3345
-
SHA512
d9ca53548a6b04bd4473971b197603888587ef021e7effe391a06310d66a64c93920eea295e6084ecadcb8e83a25c95238f2f6b961d742d174febf36bfdaab1d
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H+SMbBPWky:d8qPoBhz1aRxcSUDk36SAEdhvxWahF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3371) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2444 mssecsvc.exe 3772 mssecsvc.exe 4316 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4792 wrote to memory of 216 4792 rundll32.exe rundll32.exe PID 4792 wrote to memory of 216 4792 rundll32.exe rundll32.exe PID 4792 wrote to memory of 216 4792 rundll32.exe rundll32.exe PID 216 wrote to memory of 2444 216 rundll32.exe mssecsvc.exe PID 216 wrote to memory of 2444 216 rundll32.exe mssecsvc.exe PID 216 wrote to memory of 2444 216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aadbf0d70f1b01b3af63020e0c22ecfb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2444 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4316
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4328,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:81⤵PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD530bc40dfeffebc119ec1e6c01698319b
SHA11cdd02930d94f37e1948c5178e1bb3c0ecb73aa8
SHA25635a76e6fe6a50ee15469b9337efdabb6ae9355341ec22ca7b495073edcea7720
SHA51293b9c10896e29f805f481f96dc56370bb27d24c77e310d5ad557f5ea5258545a9dd1c5399ad71a3dac2dd4aa5c940e3611400d1e3d2922cb49fa4901a6250062
-
Filesize
3.4MB
MD5a0b8edde5cc9687d21ce3cbff7ba5288
SHA170ab45e14efa6616bdfc45970268ae00f7640cad
SHA2565c9e87da1c86135ec54c8ede1e05b6ed60ad6ade2bf91301be564c909a20018c
SHA5124da5353cc19a65fe9da0f2ae2d95d94d19cb51bcfae21d2218ff856b9aec1239198fe73e0e1683e0f8cd25cfb9f0021c9e7e6167456ac6301747eae0f0bf12e2