Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 00:26
Static task
static1
Behavioral task
behavioral1
Sample
f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f728d59f6ea4c18725fe8b6c86079117
-
SHA1
44e3d94333568875d943bc81827768fc7fc6714f
-
SHA256
faaaf99bc4bfc548a0c429a49cd2b703ab4c41a7ffd2ea1b199cbdb02b5dda2c
-
SHA512
964d7fe8cf504c9c4904fc31e1deb1ee63faf61315c4fd79e52970b5500a4e048a3989adfd7bd00c5e2ada4199105a0c5a09cf70e3a5cae83a0fe1f74dc12e18
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA4R8yAH1plAH:d8qPoBhz1aRxcSUDk36SAlR8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3253) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1300 mssecsvc.exe 2884 mssecsvc.exe 656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3864 wrote to memory of 2248 3864 rundll32.exe 82 PID 3864 wrote to memory of 2248 3864 rundll32.exe 82 PID 3864 wrote to memory of 2248 3864 rundll32.exe 82 PID 2248 wrote to memory of 1300 2248 rundll32.exe 83 PID 2248 wrote to memory of 1300 2248 rundll32.exe 83 PID 2248 wrote to memory of 1300 2248 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:656
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5145e6161704c8316fe637e77960f55d8
SHA1e8128750c14959e88d8d28f39a4a1f29c4c53560
SHA256f73851e14b6201c691eb975690ae8f8f6bfe89ee7978a8e983e99dde3d8d49ee
SHA512937d3601be8a08d54e19370dc4d83abeaf2e4f380d98c83e7b5446f47c280015161889ad3cb14eca938ebd7e3c2208a17655aad31c7dcb514dae23b6c9518d7f
-
Filesize
3.4MB
MD5cb1e144fb761e259b4a79d9bd500d6eb
SHA1583674dc4ae9a1b366ee664494b1d492326bf4e2
SHA256f002168d4838a8163d9da4b81b3040c726a94ea2c525968b720f77b7088c249b
SHA51263dec5283b59602f17791ad63b0cda12fcb81d748d00067288a09e5321054963f38fcd6e4c6c88de67f4975aab77bb72e052f01bf6deb318f2887206188dce5e