Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-08-2024 00:50
General
-
Target
c5fe708211a86f20b67e9a576e744f43_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
c5fe708211a86f20b67e9a576e744f43
-
SHA1
3a5c49ef70078f99269fb36a30dd45c8ca709ac1
-
SHA256
60770e4751114df2b31a672db19fd5bd04ec63b77860e3b746f9eb9838356968
-
SHA512
dc3ea5d4e73c6ce69d6c44ead78063e199c4ab8f457786e2365ec2f6636930bc0d08db95986f743b159eb2e7ea3250d1b07a67989bd1afb0461a9ae13b36cf0b
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAVvxWa9p593R8yAVp2H:TDqPe1Cxcxk3ZAyaPzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fe708211a86f20b67e9a576e744f43_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5fe708211a86f20b67e9a576e744f43_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52b49b13445e21852d9dfa48fadb3e7f9
SHA13ef5a499e90730a1a59cf7e43ed1621c69ae172f
SHA256069c4beccb86d69dd91dc153bfb63042156d1d5d215002a3471d278c25105bc1
SHA51279b77c4db3f76296a50aa54287ba19ad771ed48020fc8c121b69caa0a3846ca4c78b8be08bcf4f2b6f2b7545b851d855eff8c5adf77328ec395b70c685cfc037
-
Filesize
3.4MB
MD56ca3195f0e24912321277cfc20cc3b6c
SHA1d871e04be352f05423ec54acc26e3df4b6a68363
SHA256faa6cf366afcffa39c3797c29371dc7a871fa7f11ac73fbac40d81ab6df4d891
SHA5127d49abc8d79da5a05b88702a8f8377db445769f3fd6441ab9f9108a34498275ef24d6fb56766ccbe1f0a9123c39b2fabe9681b0b011bb6ed9037f1ce93e8cb13