Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad783fbf722b1db4fe8450ee66e5025b
-
SHA1
9d85bb023c3565d793558bdb77ef4e5e31d44d74
-
SHA256
71ead60c0733e8183627dff103ff724a9c60c836927d5243748b09de52cd036e
-
SHA512
d7a8ae5cae75f0be7616e18b9ad1bf368300416b547dda8012aa6e36c2f5140252cad0800b60b58c929e352361c33112bcb6df48b43593c089ef4973d1df57de
-
SSDEEP
98304:d8qPoBhvRxcSUZk36SAEdhvxWa9P593R8yAVp2H:d8qP8xc7k3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3351) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2696 mssecsvc.exe 4820 mssecsvc.exe 924 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4404 wrote to memory of 4588 4404 rundll32.exe rundll32.exe PID 4404 wrote to memory of 4588 4404 rundll32.exe rundll32.exe PID 4404 wrote to memory of 4588 4404 rundll32.exe rundll32.exe PID 4588 wrote to memory of 2696 4588 rundll32.exe mssecsvc.exe PID 4588 wrote to memory of 2696 4588 rundll32.exe mssecsvc.exe PID 4588 wrote to memory of 2696 4588 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2696 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:924
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ceb61d60078674ff69a430abf6657ad7
SHA15a7dd87f25bd07c0a51261af8d52bf31102d009d
SHA256cbe882c23eb30d3b12e0c3b589a7ff6378c5efc8de75414a554292c572014fe2
SHA512e724d92ad701e0c3b8e56196c126cb9691d42a3fac5863966cd0d574323b30e710738cd85f70ad7d85e07e396a3dbbb839d2a86617616271bcd5b27a77a52076
-
Filesize
3.4MB
MD5bff42f0fc080bf4aea86fc1dd043fd07
SHA1c5befd5eda89e73b4d2d9c8b555bd3d3877acb80
SHA2564e99af6c34a00f104e372d545f2295fb13a369a187d1183f97e7c96e4225a2c1
SHA512203ca18be21e2894545ec628d99b99409c094b6fb67ad8a1e852180d271792dfad69d6c491d8467fb2f4b9cb7f48338ecdd4549daf838b7385f4018f7782e509