Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
e177cdb4e594393b747d46b74b31cc19_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e177cdb4e594393b747d46b74b31cc19_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e177cdb4e594393b747d46b74b31cc19_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e177cdb4e594393b747d46b74b31cc19
-
SHA1
c43c50fc6adf885b43ab3113147373ae3526e93c
-
SHA256
e52a4ccbcb4355dabab5db1006f232420bbd735886347788ef29682865c6fef4
-
SHA512
78802d8bda1be78dff7a5590bc0362b4252ebe02b4befbe4093ad43f6c750966e35266d3820ac721216154a878213a91351c88a841172f69eb9b8eab93af5da8
-
SSDEEP
98304:T8qPoBi1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPJ1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3213) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1428 mssecsvc.exe 4100 mssecsvc.exe 2304 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 876 4268 rundll32.exe 83 PID 4268 wrote to memory of 876 4268 rundll32.exe 83 PID 4268 wrote to memory of 876 4268 rundll32.exe 83 PID 876 wrote to memory of 1428 876 rundll32.exe 84 PID 876 wrote to memory of 1428 876 rundll32.exe 84 PID 876 wrote to memory of 1428 876 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e177cdb4e594393b747d46b74b31cc19_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e177cdb4e594393b747d46b74b31cc19_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1428 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2304
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e7f918509969e2341d145b92e6d2ef50
SHA117effb161083eeb468850dce80408b4f229f9297
SHA256092b88f8eca76534498feb06d60c12814d5acb6047ad700655e83a0c281325e7
SHA5127155cad4e893fdab64ac8d46caec95207065ce525487752b1130bc7c402587f8396ace3afdf38d124836eb129dcc8ddf57f613e1dc90d08bac76492669800305
-
Filesize
3.4MB
MD57d9c28f3901927758f1f6ed29d642dc5
SHA1eae0c49d2e2e0d431d5f019290aa7739642b5172
SHA256b912666d2c157e67c6d270da86c8eeff4da5b2e05dd1bc2cc5fe30425ffcbc64
SHA512e0931d3f3a0a26ba4a45410819b4e2fbfa7ea730d02a5efbe6e215bb0c65e6f213a08a9b14d2bf63948192d8a8b7aa108558c2d7f04d2db789e1b0a77c9cc446