Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 07:52

General

  • Target

    53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    53b1c379f045426c1e90ae72a411a7b0

  • SHA1

    0e69bbd360d8b77280411d828eba74935bf9a76f

  • SHA256

    96980e2650d9389d0f72f8271eb54a26d86c599789ee0d3fc4bfb826b0eda2fa

  • SHA512

    b059ff053a6a83e95c589b6e13aee88082a7202b882d91bd0d185ed9b8d6a56431d9efeb5c9914a3fb3f8dc7e64b8c3111e2993c6b04db9d7c8be0f9e0268235

  • SSDEEP

    49152:znwQqMSPbcBVQej/1YNRNSxCDQatcqPc2r+6h40WpVgbgm5xz2Il23ZzgttoIvuv:TTqPoBhz1KRVY9gqBQcQQ

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3207) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2908
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2444
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    c617575d4b84aa326618ff57b15c8f68

    SHA1

    15940ac6ea18245b50a803c1e93072141460e51d

    SHA256

    c2cef4b60170d11927ab5adc19c87251c604a4c070aef560883a20c037e7426d

    SHA512

    46706d77398f0dc982ffb5a23d4e973d1591dd7d3c6e94c2be7ef5b76e4b12f7786d331c941a0d752592ee5959589f7513854477aa1f24a23239be71f8b98f41

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    ffb7d6d6c887ea3959edaa4c5af25c56

    SHA1

    e487620f1c68f8f1dda6709a69528665cd2e9631

    SHA256

    0961903f48291047625bec39b5623ce9a4c82ffba812687fa5368d6c5d3db764

    SHA512

    e7e6ac22c230e1850773319542d9bc7a3da30a643faf7fd6be3e2fafb98d950a9fcc96a34a201a74f0f157fcfa5c6d197dc0ea75b54ba43085e0575dd2368a60