Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 18:59

General

  • Target

    564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    564ee3bd9772165b78ad5bb17cb1a1cc

  • SHA1

    0b4d231ef30ae83c392c6aea19adbf6a914cbd05

  • SHA256

    ecd02032a29ce1e0dc3221bfadc26378a0d70d31af9b979e27b9cc3c15ebd556

  • SHA512

    e907dabc8d6f6db1a973d5ecc8cb910dafd50f6ad07dd54efab9cb4c6f5ea020208e020d11e4f2f9f4169a900d2cf3d30245bee243112ef4b37d477a957bb7b2

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDkKSV8tAT2q9c5fDaNwbQf1YTza3R8yAVp2H:TDqPe1Cxcxk5W82q9ctOi46ER8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3304) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2968
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2676
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    a078919b41cb5f2910f173cfeeeece01

    SHA1

    c85e73c603b5f5a24ed56dc345d8e1e4c3f97ffc

    SHA256

    be31b854aaf05322fc57155f33aa4dd25ad03f8ea4ae29cc43f6f7b9565d83d5

    SHA512

    db13a39e5606f20b85ea04eccfa1afe45e668420916fb39cded3d3f849d2c337d6897f13d2e4564a5b51ba701591e083cb9b9d4e02b99b9004ef45c9277776ee

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    7794ecf854788633840ba9a189643fed

    SHA1

    6c845989bc09c4dd7709f323f0f07224786c151c

    SHA256

    03c8ad9400ffa45d423936bac98879b1973c1210641da3e7061f6c21932c9ba1

    SHA512

    ec44f726b55d2cf4dbe87530d19cffa52687fadbbddf100933023b9405def738772464224c064820ca3c8b70c7576232123656dafffbd426a18e8f7ad9d5fa94