Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 17:54
Static task
static1
Behavioral task
behavioral1
Sample
f68cbb34d241534ad6c9d524f79888c0_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f68cbb34d241534ad6c9d524f79888c0_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f68cbb34d241534ad6c9d524f79888c0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f68cbb34d241534ad6c9d524f79888c0
-
SHA1
d65fbe62b22810d3cea7bbd304df4588185bb71d
-
SHA256
9e92b4611ac954750cfbe08d0a70ceaf8dcf66b2cdf298627349e30ad12a365e
-
SHA512
cf644d687cfb38108507dc65d67e46308efbb9751b015569bca52ffc912baa23544cdf34c8860e83656393d8a67d559558d5a1bf3dbdec84f4bd9ed8b51f528c
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:d8qPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3367) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 396 mssecsvc.exe 1524 mssecsvc.exe 3824 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2480 1376 rundll32.exe 82 PID 1376 wrote to memory of 2480 1376 rundll32.exe 82 PID 1376 wrote to memory of 2480 1376 rundll32.exe 82 PID 2480 wrote to memory of 396 2480 rundll32.exe 83 PID 2480 wrote to memory of 396 2480 rundll32.exe 83 PID 2480 wrote to memory of 396 2480 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f68cbb34d241534ad6c9d524f79888c0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f68cbb34d241534ad6c9d524f79888c0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3824
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c5ab4ad72679d9caccb749139362adbb
SHA15e07c023e60b96427ac218fc4e2b3e4b39ad58c3
SHA256c67aa95681360f7e20bbc90d6e7ae9b84f43eb81155812c28843b104e607e71f
SHA512722dc5e4c0acb7f8729967a9662b4ba57c2c73c52eaa9deefb2d94fa8d4e58daff72888646fc4e7983dd1300fbb2710c9830a77e6be2c8428fb52bc219cec089
-
Filesize
3.4MB
MD5a88d66dd7fd6fb40da424b3ecf508dee
SHA17137fc37daf9f2856dc9d26fbb261229a42ec64e
SHA2566112c7300fad6614aba8f1eb37d5b156d45eb93464c70162f6f618ceb821b28f
SHA5121220d4df598e4f705b9990cdc42fefe575f55d07d07aebd96d4bd9234509f65d0bde1d6999b96a031eee183175ba55ab2f1ced44daa5ebc772a8625f107e29dc