Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f2b958453fa551353642768a3aab1345_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f2b958453fa551353642768a3aab1345
-
SHA1
f1d6fe7fd51a44984134054c57a0279a9ea9d4b4
-
SHA256
5b0385084a77525ca7c0a80e476f6f7d51080690fbc6265a8d4f1e2bfda2a4db
-
SHA512
313ee95f1d7d05a36c9b2cf162e3fff608183dcd04d98f50ad6a8b10189f081e3d870198bd488d80a51d2533732f3ba3249e3c7083e368807db64a7a62e549bb
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:d8qPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 5084 mssecsvc.exe 868 mssecsvc.exe 3036 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3300 wrote to memory of 3240 3300 rundll32.exe 82 PID 3300 wrote to memory of 3240 3300 rundll32.exe 82 PID 3300 wrote to memory of 3240 3300 rundll32.exe 82 PID 3240 wrote to memory of 5084 3240 rundll32.exe 83 PID 3240 wrote to memory of 5084 3240 rundll32.exe 83 PID 3240 wrote to memory of 5084 3240 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b958453fa551353642768a3aab1345_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b958453fa551353642768a3aab1345_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5084 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3036
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD507c6159b5f6a45c05d2e278fd52e1b9a
SHA1c7094c745a566412429ac5a2f4d3ec5e4519e4d9
SHA256765719492b2af8d52598956f218b4fb4ebbb74652e9448ed3926e4ab53c8f7de
SHA512715248a79565487936b9c71fe463ceb2dc4a3e1016fcf17fc0485cf151848164b5d8cba8dac4539c5df5dd4b4593343d9cb225531e4856589d8ae563ee093b1f
-
Filesize
3.4MB
MD544d27e70605a2ded2803ca6319c93fb9
SHA18fcd27048fde2d49c6e351107233a912d5ce6cce
SHA256076d473f2b82d6e98b33653f4aeda9ca15494c2fd6f00088f6d90e8b5c15994f
SHA51292cd25d19a95bedbb0f804c11ad3e9539dafab0f9f6cc3aad5b60690a16fb182594d12be75eead3746d385885a354462740321d0e17ca3d7d19cb5d16bfbcd18