Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-09-2024 02:38
General
-
Target
dbaa6972976aa730e66dd5e064d1799f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
dbaa6972976aa730e66dd5e064d1799f
-
SHA1
47411ee85b1f0486455395848af1026443b4e500
-
SHA256
fb75c5c043143911a4a7691ae86b6f3a93c8f39f1d7d560a851f19e3208e9ff8
-
SHA512
8f398e1b9f7f644e517323ddb447d7dfb9b2993760fab0c6a0453dcc3b85ba10a802616d5ae3d11bbcc3fdfb2383698fe7e53e31962361456200c93cdd7f944b
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PA:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbaa6972976aa730e66dd5e064d1799f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbaa6972976aa730e66dd5e064d1799f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5976f9f563150aa5ef673145f70d0bdf1
SHA137526d6f5f856ca8f10789d0614b8258e554a2fb
SHA25664e2183b3ade839c6431d1672c6950b1d13aa4dc3c1ed191d6f44e1ad15c1ffb
SHA512417687f8f97e101ef48cd4c45483e5c47310e97d2750f6818fbb691a50b4ba2fe28d033caf2e9004d6a87dd7da8d63691ff1ccffec644eb96df7fd5cd4809989
-
Filesize
3.4MB
MD5aea7ce3109b4b9c84a738e3356614038
SHA170303c292882d94259700ddf12498b28b76f707f
SHA256d9551cc1468cf9ded8c1babe8fe646e309c3de1a33422c768647077348a236d7
SHA512ed1ffe444b91fe36a4ff906a8056fc78a9e3b7e9b4fa3efd831de65fd88bfaf0d39ee8071ec31e1eb201e8efa9c3f1e368eddb461248efe14df41b0ec2d29a48