Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-08-2024 06:39
General
-
Target
b27277135d9e2f8256c091534198aa6e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b27277135d9e2f8256c091534198aa6e
-
SHA1
c81a4b9d02510c06176b87b03ebb354bbde94057
-
SHA256
25e8141ba936fb55e0e7a6dfdf911870f11285dd48532feb8ac2a9495539b23a
-
SHA512
a85ea6b2fe1e3154ed869eb1727f110f25d6a464f1ee2b30394f0bfea210c9b3ae779faf94783be205e2b77bb465967938a0e37e3f97677d99867f524cbed09c
-
SSDEEP
98304:+DqPoB31aRxcSUDk36SAEdhvxWa9P593R8yAVp2s:+DqP01Cxcxk3ZAEUadzR8yc4s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b27277135d9e2f8256c091534198aa6e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b27277135d9e2f8256c091534198aa6e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cd38f327636b95f97e8c5f9213260365
SHA1e821b7cf859cd92607fa1971af0bd3ad86f2bda5
SHA25644246267cb8bdf63ca12ea830417136725898b85698bbaee559eeba8058677df
SHA512e0a830a02c914918d73171f95aaff3f043660dd6f07a2146365506c06c0344c7fd61362cde648d468b132b452e102e40e4499d8b9e95c994ca3b01daa15180bb
-
Filesize
3.4MB
MD54c719cacbc1bf37826c8a9c8419065d5
SHA15729776e488b60d265e127ca6b5f6591103ca587
SHA256ff01ad34f6c8044bdc1a655675000727f4a67217ab00470a9088bf4b597d4338
SHA512bf741185452a9c54459b604413a8e306e53742b3e6f482d355daccbca32249a2651c4a1b31ce5fea8e76ae74bf01958f2507452968e815aec4c9fdebca125794