Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 19:30

General

  • Target

    56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    56676839d1325a3d51d478f79d292b32

  • SHA1

    c8b24b041661f8a1f4b16691d8973961ab4a7fd4

  • SHA256

    f73ef92a463852a6ab8e141805a52a85dba0ce251d8e1a2b3dc27412c25e4806

  • SHA512

    880b4e1498285f6da929dc8001665e5e72ba3e6c16fc57d819429ac595fb4253789d38f5c457a7b5d3c374f3dedbd3aaaf4621f5a8e3e25279d46c571007e5eb

  • SSDEEP

    12288:n6bLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+Dx:6bLgddQhfdmMSirYbcMNgef0

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3159) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:376
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:468
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:608
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:2324
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  4⤵
                    PID:2764
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:688
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:764
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:820
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1312
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:848
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:1008
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:304
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:288
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:1028
                                  • C:\Windows\system32\taskhost.exe
                                    "taskhost.exe"
                                    3⤵
                                      PID:1220
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      3⤵
                                        PID:2272
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        3⤵
                                          PID:2768
                                        • C:\WINDOWS\mssecsvc.exe
                                          C:\WINDOWS\mssecsvc.exe -m security
                                          3⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2628
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:484
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:492
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:384
                                          • C:\Windows\system32\winlogon.exe
                                            winlogon.exe
                                            1⤵
                                              PID:424
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1368
                                                • C:\Windows\system32\rundll32.exe
                                                  rundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#1
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3008
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#1
                                                    3⤵
                                                    • Drops file in Windows directory
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2752
                                                    • C:\WINDOWS\mssecsvc.exe
                                                      C:\WINDOWS\mssecsvc.exe
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Windows directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2600

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Windows\mssecsvc.exe

                                                Filesize

                                                3.6MB

                                                MD5

                                                33f61e96560dac487704a979691d0643

                                                SHA1

                                                62cc63f85ba81f4e93218951766626b316e64270

                                                SHA256

                                                085f4b0e113d68fe8559119f38d67d0e3b1975b55df28f645fcb1cd260939982

                                                SHA512

                                                09c3dbb906d552ae0aa39d38f0c62bebe288c04187d71aebe688a6e9f37ab515650b7a199dd1bd6600c4d9737f25259ea3ecf786e8e451a42f7198d38d0c36ad

                                              • memory/2600-6-0x0000000000400000-0x0000000000A72000-memory.dmp

                                                Filesize

                                                6.4MB

                                              • memory/2600-8-0x0000000077650000-0x0000000077651000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2600-7-0x000000007764F000-0x0000000077650000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2600-14-0x000000007EF80000-0x000000007EF8C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2600-13-0x000000007764F000-0x0000000077650000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2600-12-0x0000000077650000-0x0000000077651000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2600-15-0x0000000000400000-0x0000000000A72000-memory.dmp

                                                Filesize

                                                6.4MB