Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 16:54

General

  • Target

    55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    55cbc01a52fd5200cd82213465f27996

  • SHA1

    a217c58a62f13a8bfcc7462606078e1bf1f2f405

  • SHA256

    22bbde8f39fab4ba56329699e65d93f8cff435b3f39e7b226afc268546ea8cef

  • SHA512

    2435798f42d1400945e7bf5287bd54e717a157a69060390bc4ff9379b5f5256faa8ba478f9f7aec6eb30dd335de16bfb627a636d6fec01ee8d22b9042e764d85

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqpbOSSqTPVXmiHkQg6eX6SASk+Kdq/:SnAQqMSPbcBVQej/JSqTdX1HkQo6SAA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3271) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2232
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2744
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    ad9925c0d7fda9b48a58439dc7a287c1

    SHA1

    0e912a64bf51d481714b087b4ea10f76aea71fbb

    SHA256

    46c128c262aa0029c228ed4313efcfa2eef29728bbd166998365429500129c75

    SHA512

    d718adda7f8fbaa3839c998d31afa3381157642c2d824b2bb6018b5ad3631346b78d974192a6cbc88792a2f577adeec25de19768687c3fc8cc752a7632ca276b

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    048a675961ba94a670ab35dc30a8e39f

    SHA1

    7c7c1951edf3c1ec6a8f50e0c5d6688d7b6523a2

    SHA256

    2b089c0115de4cde488409e0783da3ea01042f0768036725e9dad8994d00f1f4

    SHA512

    a1bec9f9f7f8a089312099377cae2e303699672dfff08dccecd8dc3a8a19ebd9107e5fcff45cd275fae8e848a561286c3ab217a31518e7f5eb5b765777965a17