Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
e8611c0286f6ef0b44b86896f0af8430_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8611c0286f6ef0b44b86896f0af8430_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e8611c0286f6ef0b44b86896f0af8430_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e8611c0286f6ef0b44b86896f0af8430
-
SHA1
c68f86e8432aa960a872e1947691bb4305fbab4e
-
SHA256
c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363
-
SHA512
1c19318740b833ff5cd0a774af2037aa44e68f6f36af9fb73c3f5a50e43dcaef668beb22f3b9917eb3aa7c48e347d9cbdab16b2d61ef072c5e789d2e175cd179
-
SSDEEP
12288:ywbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFy:JbLgdeQhfdmMSirYbcMNgef0QeQjGI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 5772 mssecsvc.exe 6128 mssecsvc.exe 5156 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1276 wrote to memory of 4116 1276 rundll32.exe 84 PID 1276 wrote to memory of 4116 1276 rundll32.exe 84 PID 1276 wrote to memory of 4116 1276 rundll32.exe 84 PID 4116 wrote to memory of 5772 4116 rundll32.exe 85 PID 4116 wrote to memory of 5772 4116 rundll32.exe 85 PID 4116 wrote to memory of 5772 4116 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8611c0286f6ef0b44b86896f0af8430_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8611c0286f6ef0b44b86896f0af8430_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5772 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5156
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a547ea33025174fab4d1f549045573d6
SHA1e1c3339660be0bca43a6389a21b7ff58da1faea8
SHA256fd9d4788a6d08f3a27265e24f52f3776c6e6dc278c5cb1e9105c1eabb204e477
SHA5127075cf8bdaafc8b73a957211516013f281f56564a6b3fd5ab9372288548fbfb1b5d13db19bdc99cada2c080ddee2996d1a316f3df6acb13bdaf3047b43543f70
-
Filesize
3.4MB
MD586e3f55745bd48a5f14e36079fa35c08
SHA183ca4360e19384de800dcfb8954372b63e16be0c
SHA256fa590e6e5fea75b8d5b5269b9bd16463645e46eb3d7a0504e0db8129c2083790
SHA512175d56f34fbf300c02b4ec5a61679a371502f11bfbdbef488b4d3d220c68dfa3c5b4efdc2924859525d16c8d36cbfba0d8694a351bc093ade38abb2cee9c9f6c