Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e2d020e6ae743949b87756fc1c34215d
-
SHA1
8307a670bd5cbd866fde71d420a08979312b2d52
-
SHA256
5d7c8a086732b2c1d968f1b6888923a7b874b5b1b7e09fe078c8c55feb421021
-
SHA512
c920498ae3a47ac15527654549ee948dc6b93f1db738bedf61846a96cdb2563d2a3f99624c81c417dbb14ff5feb3c1a5a5895feb1ce3a6e3245ceae7430c775f
-
SSDEEP
49152:SnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+8qPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4312 mssecsvc.exe 1220 mssecsvc.exe 3044 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2800 wrote to memory of 3052 2800 rundll32.exe 81 PID 2800 wrote to memory of 3052 2800 rundll32.exe 81 PID 2800 wrote to memory of 3052 2800 rundll32.exe 81 PID 3052 wrote to memory of 4312 3052 rundll32.exe 82 PID 3052 wrote to memory of 4312 3052 rundll32.exe 82 PID 3052 wrote to memory of 4312 3052 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4312 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3044
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58909dbd5b9feba5b5a9cadc6e8d850b5
SHA11ebb6fd36521bdf8c15d13b921a9f576d89b1107
SHA256508dcb3abfa56821f8ed720f616758ca467c49a32785be3311384579c2def1a5
SHA5121f4d317090b075770a5f61d3b5a4e77f12dcc0e2ba54e73f69b0b3868f256ddfecad344549c50b9e54f94a81e73a43910c56635541d69095c927f78538ddb852
-
Filesize
3.4MB
MD57fe62470dc5ee0e84ee02cd5526f7c49
SHA102ce9ec4aafca35def3c1cf3f20ec25bb1a793d5
SHA25608d900ea71c177d36a5556be14111b208b45ffe9b08a813587a4cb3f5b191cf7
SHA512e5809b14b3f2b070ec1824053b72859a24a23cfc538b4729fe1773a1b86d39e49e2c095522b9f075e4ef4809497c3abd44e23dec453a659f786f60419de30d0b