Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 15:58
Static task
static1
Behavioral task
behavioral1
Sample
f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f65b4cc9a87df1dd14918f8d295af7ea
-
SHA1
397e761ab1ae29c593b88199150d38e7bd7e5782
-
SHA256
0a547edd3c73c87c7796377bee53ed0024edb35a9c9c1e4a62735909643a4ca2
-
SHA512
7ee60ab115c68fa1a37b4cd5c74d4d8f852d17d8dca13e66af615a96303f6fb3e4a6399db14c28acda6eccd71b0c7d039e399126cf2d171b2361751a4f658828
-
SSDEEP
98304:d8qPonhz1aRxcSUDkuxWa9P593R8yAVp2H:d8qPM1CxcxkhadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3307) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 640 mssecsvc.exe 3828 mssecsvc.exe 404 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4072 wrote to memory of 2476 4072 rundll32.exe 82 PID 4072 wrote to memory of 2476 4072 rundll32.exe 82 PID 4072 wrote to memory of 2476 4072 rundll32.exe 82 PID 2476 wrote to memory of 640 2476 rundll32.exe 83 PID 2476 wrote to memory of 640 2476 rundll32.exe 83 PID 2476 wrote to memory of 640 2476 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:640 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:404
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bf914d1d0fb0f1dfd5fbb11ad151635e
SHA13eee822a80e45b5e5213ab76e4352c68d8d4f452
SHA256684776549b3dee267f9de4e6dff872db586b7bf598fb0a12ec8502f27a8f585f
SHA5120bac688199ec50ef9fea640778a2dbbb50f6cab3fcd221fcbc9eb51a8d0b9ae211f94580238abb466c1cf8850edec051d627503e2735625df740754b0e53007e
-
Filesize
3.4MB
MD5fd8c1e7fd01012f3af5fe6b77066a95f
SHA1ef75e7626e63144fbdcd2e475362bfd8fc323598
SHA256bf2ed6dd2a7bb1ea1c9acf3f0ca2f32ba41e5083d6af10140259f0b439bf2ec3
SHA51229f0bb27a1e51dec26df80c5433d5bbffe8f9391ea7ca15df4de747b3341403f3fd43f438bc13f4b103adfd12232428069040d5eb39ed099714b8a5fa720f534