Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
c27ecb1de9ca748605af567237eeed4f_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c27ecb1de9ca748605af567237eeed4f_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
c27ecb1de9ca748605af567237eeed4f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
c27ecb1de9ca748605af567237eeed4f
-
SHA1
f3b0fed4b1ba6da067663fed061d1ba03c883ab4
-
SHA256
d6cb63f23b784915ebd8ac1b195c46251fa1241b324beb99a61d7c4ba27ea99b
-
SHA512
97b1e363a8a8685d796aa87d65f219a8b41713bc8927e3bf05405741659a097008bce261b8746b1d63faf5516ee3ac0a283fbdc7f17060e16617237150c8ebae
-
SSDEEP
24576:JbLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAd:JnjQqMSPbcBVQej/1I
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3059) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1148 mssecsvc.exe 1764 mssecsvc.exe 4528 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3612 wrote to memory of 424 3612 rundll32.exe 84 PID 3612 wrote to memory of 424 3612 rundll32.exe 84 PID 3612 wrote to memory of 424 3612 rundll32.exe 84 PID 424 wrote to memory of 1148 424 rundll32.exe 87 PID 424 wrote to memory of 1148 424 rundll32.exe 87 PID 424 wrote to memory of 1148 424 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c27ecb1de9ca748605af567237eeed4f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c27ecb1de9ca748605af567237eeed4f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:424 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4528
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD558307b57d8768dd4392b17dc94261221
SHA17c972e40f96b3980f9e012a7c6db243d3a35f834
SHA256d21081d828e9cbf42d91850ccf4a6acef2be17892528987392f5a16bf84e99f1
SHA51205dc925cf6dfbfec780326791418c31986765d83d43818d1d9a5d3d37d2bbe7f4d374c63d888f0346797bb933052c6bf2ec275cea8beda4e87e754a29f3e5c5d
-
Filesize
3.4MB
MD547a2a3ed83a3e4b42b339434b8d7795b
SHA16bf51b555fe4784326d2c0bff717d228b5789311
SHA256eb5b0fa26712e678240a0c7fe2fdbb218763ad6b7b8b757d25dab9c5d2879d84
SHA512fe487c6ed2ac7b9380e6d2abea5f7002c423bd4ae5ebec22c94622a62629b259905e21a80e7412e7a5583af299fa10def210f6f6c3c295e838636f885fa77014