Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 23:18
Static task
static1
Behavioral task
behavioral1
Sample
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f70dc6617585a6cdb57999cfc7e35983
-
SHA1
fc392f28ffbf4adee56869067d25d8a7d33f3d1d
-
SHA256
242743baf453444c89c5c31203de59b2d6af0a4fa9bd7e7de9b7b52c6414376e
-
SHA512
1b904c5fd57e9a8e9de4034f4b9f9200addf9222bb258802f8eb915dca4312d78a490446d27ff0b78dd12f95379b9b15d9138f2fbb124312410e8e9bcbba30df
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:d8qPoBhz1aRxcSUDk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3255) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4072 mssecsvc.exe 3948 mssecsvc.exe 968 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3104 wrote to memory of 3884 3104 rundll32.exe 84 PID 3104 wrote to memory of 3884 3104 rundll32.exe 84 PID 3104 wrote to memory of 3884 3104 rundll32.exe 84 PID 3884 wrote to memory of 4072 3884 rundll32.exe 85 PID 3884 wrote to memory of 4072 3884 rundll32.exe 85 PID 3884 wrote to memory of 4072 3884 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4072 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:968
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5902499be1f74facf8df615deea83bd63
SHA15ee5d0c7bdbf779838b3228267228de3c45bec4d
SHA2563c75131419934c7b16f9721abdef7a5cd57cd20cea4757be3724b36c84380cf2
SHA512fef964c845505b1695aab6b7e983a962206e1e95d5ae30556cdf67fdffd8f5c01696672429859aff5612299a7f69803b531591427f507bec819e8442d134332f
-
Filesize
3.4MB
MD5db73e31441cfcb4e3df4f90abf93be58
SHA1cec5b1d186ac29e9de354232e7ced75cfaa7dbcc
SHA256ec7921ced5b4b6e1a2466938f5bbbcb37bdbe3e18231bfe474829619427a46a2
SHA5129469b87f95b82afc2b17843cc120585dd4e915bb560fa69e40a54cb752392a339181bfa6923783c63e418ffcef6ed661ff7fc7689828a13732a540c788642861