Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
afa43a534b89186dcb549654b3c9a887_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
afa43a534b89186dcb549654b3c9a887_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
afa43a534b89186dcb549654b3c9a887_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
afa43a534b89186dcb549654b3c9a887
-
SHA1
50a3b4c33a165548a9a6921a5c984ceb26ad27ea
-
SHA256
0d47f7bfb29d2a17bcaf8614e8c9d7a7b03500527602d926f5d597011e193b50
-
SHA512
ae7066464795e6b0a51d08ed65a7252e3be1d9fd1034f5a4ba7c0726125f55c4dd8f40abe04f8829f668475790477daceca92a5b9f0734c4e208cccfdbe851a4
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SA9xWa9P593R8yAVp2H:d8qPe1Cxcxk3ZA2adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 836 mssecsvc.exe 4692 mssecsvc.exe 3124 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3104 wrote to memory of 1140 3104 rundll32.exe rundll32.exe PID 3104 wrote to memory of 1140 3104 rundll32.exe rundll32.exe PID 3104 wrote to memory of 1140 3104 rundll32.exe rundll32.exe PID 1140 wrote to memory of 836 1140 rundll32.exe mssecsvc.exe PID 1140 wrote to memory of 836 1140 rundll32.exe mssecsvc.exe PID 1140 wrote to memory of 836 1140 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afa43a534b89186dcb549654b3c9a887_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afa43a534b89186dcb549654b3c9a887_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:836 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3124
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56b10f50ccc007f921a3f42530fd3cb4e
SHA1203af92090f7733972359f7e3f8f8b55e4147e45
SHA25683994580a212d2139b46757c28e0a737ed5305b88436a8517553fe7a34fd16dc
SHA512f6abc4f93376c7bdc5b81463fafad7f8677d73594de477a8bc66f81578169da534ce8c061c615d7db738d49001dccbfea654fe4d7b939a889d82acb178a667a8
-
Filesize
3.4MB
MD5adc305e297b2b29180bca2f99ccfddb0
SHA168ff5df984561086735398218ea023d21ba4ba6c
SHA2563e05a7ef86fb918d6af3e26d1abc4b24f223f9b41d82da8f210b5ea259031ed7
SHA51232a2a80b2431774ae6074bbf83798c33e936844ba6bc1a98b7148536a476222d816cc6fd94bd1b296834b443630884bd8e6fdbaa5d68ea1ece2857efeabe9f4f