Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
fa535790a14062a7194ec07246b7cf34_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa535790a14062a7194ec07246b7cf34_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
fa535790a14062a7194ec07246b7cf34_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
fa535790a14062a7194ec07246b7cf34
-
SHA1
22543e3201137fac7ed9c4d4850a397e17141ba5
-
SHA256
efc053c239eb634721b5f7fd805b1ac3a5c9f63dac8fe536e5b284285bb915b2
-
SHA512
d662909337be1078ca2b08199948cfce95ac11940fddf54e97e03a0ca063dda8c5fba6d74ac40d2769c2ca464f4cde0b40317f03833f5bce679f0cfaf020b490
-
SSDEEP
98304:d8qPoBiz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPp1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3346) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2656 mssecsvc.exe 4404 mssecsvc.exe 4544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1672 2208 rundll32.exe 82 PID 2208 wrote to memory of 1672 2208 rundll32.exe 82 PID 2208 wrote to memory of 1672 2208 rundll32.exe 82 PID 1672 wrote to memory of 2656 1672 rundll32.exe 83 PID 1672 wrote to memory of 2656 1672 rundll32.exe 83 PID 1672 wrote to memory of 2656 1672 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa535790a14062a7194ec07246b7cf34_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa535790a14062a7194ec07246b7cf34_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4544
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5aeaa6b127b01d63c77830db675880bdf
SHA1943ef182101920ae895ab2230c16ee06ebf6ad1e
SHA2563b9b358e0a3f057796fb36f511b1696fbad4482c86b716649cf185fb31d5a3b0
SHA512edfef0d720ca52e7d02110615f40fa8e7885c6fdb0ce274cda968de4cbe98b1be2722a512110fc6d50495c88b2bc9f07640cc39646e05487669fe7fec5eed472
-
Filesize
3.4MB
MD5fde685bad4953169db113ac9a23b3311
SHA1731956d4e7279fe8e32ac680ac777be9d08c1c96
SHA2561716a55ee73e2bc5b95e28037f70387bc3c11d6a3cb181d9b3161d07f656d1d1
SHA5121e116e6797fd07708c44e50d6c3c7ec8a98ba2042fba3a12e84d2046012e25979b37b4f3c92d0a784a289b1e279e95b085b75f4476124ddf330e58b55b635c52