Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
ea6cdc1ada92e18c9411d2bfacfe8a00_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea6cdc1ada92e18c9411d2bfacfe8a00_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ea6cdc1ada92e18c9411d2bfacfe8a00_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ea6cdc1ada92e18c9411d2bfacfe8a00
-
SHA1
676cb33b89c949c733dac1990f881280aea28fbb
-
SHA256
3e4aafbcc287cdeb6ea6ea32c319c1b6bda0631793f988d1ace8e0dfc55d26b3
-
SHA512
21eb54de75f2d39b2556e7862e5f0d8e8f1962a69283ed51ba8a6fcc66cf8552c8ff563344cef188170471a214c7cb9c0cca02dd74ff2aef7b191af5e6fb9aee
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593:d8qPe1Cxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3348) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4980 mssecsvc.exe 1612 mssecsvc.exe 3348 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1124 wrote to memory of 2328 1124 rundll32.exe 82 PID 1124 wrote to memory of 2328 1124 rundll32.exe 82 PID 1124 wrote to memory of 2328 1124 rundll32.exe 82 PID 2328 wrote to memory of 4980 2328 rundll32.exe 83 PID 2328 wrote to memory of 4980 2328 rundll32.exe 83 PID 2328 wrote to memory of 4980 2328 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea6cdc1ada92e18c9411d2bfacfe8a00_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea6cdc1ada92e18c9411d2bfacfe8a00_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4980 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3348
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5879ad7deb8ec3470d8edf510ff1f1060
SHA15a1b434507c9b1839946dd42977a7f68684c9838
SHA256c64316d1e7d1c994435417c4c95c3c3aa872eaac81d9965f8ed6199927da0b71
SHA512228b13df546bd5a8a8b3c49bac4f6a6ca44ef52fba07007bbf8a793cddc4bafd8705194836241fb2e8536246a74b821edf6cf70c72ff1865c7fdefb589f1f0a5
-
Filesize
3.4MB
MD5552b26ef2544c9dc3b940f9c9d41ceff
SHA1bdefaab184e46678ef5b8ba5836e923044f54165
SHA2566956ca197be27d22a6693cc9a222c7f397a9ba2855d242b7f94bda278d8d00fe
SHA51278cfcdb708be96d82fd31e04808185b8d59d4dcbd42443bc286ee2710ba62becf0d846385dc1d9cadbcdcd407791bd60b827554cccfe9e41ba02fd6d92082273