Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
e5a2d63a182d22c9465801978ef89072_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e5a2d63a182d22c9465801978ef89072_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e5a2d63a182d22c9465801978ef89072_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e5a2d63a182d22c9465801978ef89072
-
SHA1
7899d856c0d7e4d9f280138ff08ee4d5d7473d84
-
SHA256
8d98bc76eed02a38014cb2badf7683786ef657366f5d36f6a9ecbec374b11ef1
-
SHA512
2905ae308ba3b4d4311102153eba991334fe6eef3316de58f022bb54c33d3537eeaf3ffbac32c1017fb6b532153431a27d7146a0dbbb4540f82acb6eb626a34d
-
SSDEEP
12288:ywbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcozAfNhC:JbLgdeQhfdmMSirYSi
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2664 mssecsvc.exe 3840 mssecsvc.exe 5072 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1404 2156 rundll32.exe 82 PID 2156 wrote to memory of 1404 2156 rundll32.exe 82 PID 2156 wrote to memory of 1404 2156 rundll32.exe 82 PID 1404 wrote to memory of 2664 1404 rundll32.exe 83 PID 1404 wrote to memory of 2664 1404 rundll32.exe 83 PID 1404 wrote to memory of 2664 1404 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a2d63a182d22c9465801978ef89072_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a2d63a182d22c9465801978ef89072_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2664 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5072
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5dec0ce963df4c56265a08c190d6c7dfc
SHA1038cacb62ce5f4c909fc9a246e6602538c1ac039
SHA256adc96b30759e78c2d09c6343db9af4f4d2ab7a143356d7a9e441f2e5f2a0884e
SHA51228fb008f6b91f646d2d954b22f73f6994e4ebdb984d8d22a92120493b80427b133fba95b1197198206df71f6aeee443a3823e64047d4180898e9715895a281d5
-
Filesize
3.4MB
MD56e2642745d2a9e197af9ba811bf07b64
SHA1caf6561a6678877ad3b513c3a8302c1d089bc07c
SHA2561bdfc853700ad26e01378e396ab255ca5a9062626dc050dea38aeda19324bece
SHA512afa833eed638686b883b2f67922e6fb8998a1701d9cb68533d29834057f7cb68f75521a52edb0aedcd718924b6c6e0e41a7e404156f9dffa2991688450aba403