Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 05:16

General

  • Target

    532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    532d2aa524c740fb4a2872f3a2e832ed

  • SHA1

    c7a3793513330e3506c63c3b96d15587961b7cb3

  • SHA256

    b344f5188b656c7793b071d8fa426594bccc088850daa754fca36aea5a02336f

  • SHA512

    40c192ae6dc85c1efb25ee5d29f657026de40221b79932c5def962b5da98456d79d56692a8c1d190fc8a40b75c8dcad3564e0f79bbbd33e9df237faabbff730b

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3135) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4516
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4848
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    8892575d1e40c5b1dde7a28b4482284c

    SHA1

    3a4829e7e4f5b971b77fa24ef1580380ae421f9c

    SHA256

    8e02f2f82b20e4ba86ea9e401ac0dcd0caed08c9fd9f4d52190737d5c0866cf7

    SHA512

    2099f769466a6de09b9d9b90ee740f7cab78bf183472fb72daa4494478ba8fd49c1800326c4606ee360537549d621caa1a3c7f752f6eaa4efef927fa6b7c3f08

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    0631566ff11abecff0dd421d3c1670e1

    SHA1

    8595d74acbb4879ea3ebf11cf51d8bca334a2d0a

    SHA256

    98769aad0201df690a92fe6e6c4b8c368109eeac7deca69f8214c92da4b42ea1

    SHA512

    a41c4b2c1031ca8397fd3e20a3316b177cd07aa59b32f9460c9c6afb6e9fd33cf06785b3754d551a740ffd39eae2049a8fc41964fc4ac0a73928c61a3e8c759a