Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e8b3ad3133f8f083db28728532d93dd9
-
SHA1
71419f783196470966dfcb94d371650ae160194e
-
SHA256
978ec74d468d7d806d2118776d9df32953ff6a933c5ed5603f083013e5c40a3d
-
SHA512
9b2195cdcfec2657ba16099adc85b3c1d1765d1f581dab31b58769d418f3c7e27e97364b9a271a065a23b4035f904e1fc042a806081dacdaf1ee809b2ba82a78
-
SSDEEP
49152:SnjQcMSPbcBVQej/1INRx+TSqTdX1HkQo6:+8cPoBhz1aRxcSUDk36
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3540 mssecsvc.exe 3268 mssecsvc.exe 2336 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3772 wrote to memory of 336 3772 rundll32.exe 82 PID 3772 wrote to memory of 336 3772 rundll32.exe 82 PID 3772 wrote to memory of 336 3772 rundll32.exe 82 PID 336 wrote to memory of 3540 336 rundll32.exe 83 PID 336 wrote to memory of 3540 336 rundll32.exe 83 PID 336 wrote to memory of 3540 336 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8b3ad3133f8f083db28728532d93dd9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3540 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2336
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d78007d1a7b065c7f3a78b0a0355f533
SHA1141cc2201ba092854000c1f74373891e981d7be7
SHA2563a87b66494925605c6d1f88eea0b6a06e8eb97ba5235d881a9ba56df517fd368
SHA51253044a5de4d09a35d9e8c79cb0cd9be2cb0a508505d51881e263fd8ddac9f7aa9e9af76bd51cf84eb2aa9dbadac274aa9c4f844f6f6d50988cce4c1a0c5f3f57
-
Filesize
3.4MB
MD56dec970a6a6ae01181732d6910892837
SHA1027fd2e6150c13755014b4f37b26940b57cb91f8
SHA256a73a81334f15ad3c08a5913f67fc5d990539e363bf041e112f35b413717a4a54
SHA5126088fbabe4855588134cbfcdb611a324d437c1120bb2a05c3ba60cc83cf1aae90846c132d0a84d7ff4987a2e902f5c1f900de5ea8286c27ed8417f7fe542c3d1