Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 21:48

General

  • Target

    56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    56f5f986dea620bcf28e6d3578142d23

  • SHA1

    b74134312a3fc48171f32ab00ac50798e0a32691

  • SHA256

    d599760e9af9f217d574e67cec0733c7adc5f96d7a1934e4bbea050f33e42960

  • SHA512

    cf2754cec156519706134f888c670bcb0f03c1c69165c923bdc1fe6307045cdc3439877c81f65eccb24b4f69e8cb91de892e2428721c3d0c5cadb220346a43ef

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc0:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3194) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1692
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2700
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    e23d92f767cb46bceadbc9b039cb8d9e

    SHA1

    0135f4002198925423cac54ce41fc075cc03a727

    SHA256

    114115204096ae929c882417dbedfc2ba188dc375d6156c0576c067d6766fc75

    SHA512

    05bda9a5092758dbb400ded11cd3f780691af7184500257962f43da3dfc3855fa08ddfcaf6693f39c85b3e4b99e619b3709a8ac3d11ec94537dc368f9734d1e7

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e3beae48c660a3e53b724363dcf3305e

    SHA1

    5a5ef3797b5c0299c9b73d74f3a7b00894df5951

    SHA256

    2193d112aa2665c42288ae30efbf78516c1b3e118e07a146d439d436599a6307

    SHA512

    b3bea954c114ad7915802f13f7f752253e0b40b43c5ac6e825e1fc5fe3e6f6b72fdfc1ddd6c393daa7521a722bb2738a421f16375cb1254877f7e8b6ce84255b