Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e6a03e920acc645c14f7a4bb173c89d4
-
SHA1
bdb6d7ff74bd06d17476ba67714473bdd5fdfe50
-
SHA256
a5832d6d06e0db070701957dfed2a564ea5e9f3744099c46001a9539649bf818
-
SHA512
e056cbac3dc497fa4ec1be486cd29d8a926a36df87a3bcec422d74a528f4e0706569db91fead0dfd0383d88120a798a978f1768a9c2678482e663de23640fce6
-
SSDEEP
49152:znjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:T8qPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3307) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3672 mssecsvc.exe 4652 mssecsvc.exe 4964 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2352 wrote to memory of 4468 2352 rundll32.exe 82 PID 2352 wrote to memory of 4468 2352 rundll32.exe 82 PID 2352 wrote to memory of 4468 2352 rundll32.exe 82 PID 4468 wrote to memory of 3672 4468 rundll32.exe 83 PID 4468 wrote to memory of 3672 4468 rundll32.exe 83 PID 4468 wrote to memory of 3672 4468 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6a03e920acc645c14f7a4bb173c89d4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3672 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4964
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ca9e084bc47a42f3c5f15fb4142bc467
SHA1a8a43bbd4ef43b4faff94cff5a17ac42e2c2a95c
SHA25690d39c41e81b12de191406fb75263d208f5e7841b47bcf77d7fdd4156f8bc1af
SHA51249bab5ea4328897e57d4d22240049e5174fc9520c08f16ae2071e77acc10119c24a45c10393cef052370250356dd5c7b50a23456b8b33cfe2cdbdbbdf6841a42
-
Filesize
3.4MB
MD5ba8922fceaeed80297c3c391c8844b70
SHA12ef2a451fbcd42a938ae3d7bfad93dbc8ebe144f
SHA256e3825cad783a302902576ca4cfae9fdfc8640a012876402c89e7dd22475cda91
SHA512faee2d00623ab8a0db455a4b26074faed6da189220630f5260c331ed3d7f633f4cb253efaae25101c64ca836bea92b2de9e8c18614da483d4614b2e176d159bb