Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 12:45

General

  • Target

    54c48809de13c43efc75791debe5955c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    54c48809de13c43efc75791debe5955c

  • SHA1

    29fb15e99dd61101470cb837c06bbd15796e2969

  • SHA256

    3e5c35fca4c6ab1655e58e7ba76aa2a250254009a256cdaf4c5964b112f46287

  • SHA512

    51d3ca0f14ca9a1722713010e22d1e5e5a18790cbb5832366e6498e5570b734c290d21fd3d62ec23292e8e18f17cf56efcef3ccf231ad2d2c63d02d7af2c76a4

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDkvEdhvxWa9P593R8yAVp2H:+DqPe1CxcxkvEUadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (2946) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\54c48809de13c43efc75791debe5955c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\54c48809de13c43efc75791debe5955c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:5036
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3428
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4460
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\mssecsvc.exe

      Filesize

      3.6MB

      MD5

      e8de8210a18474609a2c1cb8d3478e8e

      SHA1

      0ca4c288766ffe7d781eb614dfa0749d83309119

      SHA256

      1421834d975473ef9e32bc6a0f3390b85eb2ad94394862f2ecbcc0afa902de9e

      SHA512

      68d2f2eeb9902616e33c4355ef4fcdc90e3dda692cb1c0b81259dae4401ac66bbd52865222731ce3557f27c1862f30eb4546023e349347e8ee01dff62be8bfdd

    • C:\Windows\tasksche.exe

      Filesize

      3.4MB

      MD5

      b2f70a339fff3f13cc4f4689f5c6f0fb

      SHA1

      4a3a2fa748cdb3e848ad2b86d39fcc3422363d93

      SHA256

      005b069f3c712cb6df1bbe0e6301266c71e40634816bf7fe292f137785f81ec3

      SHA512

      46de40699aeae6afbc4a11de30b3dea3d2ca78c76ceff19ad401729b204970e85909430cb099603fdc50d545b1c2c73fc66d43214a47f505db6cee96f53f4382