Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 20:00

General

  • Target

    56875f22059e653672e66730302965c4_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    56875f22059e653672e66730302965c4

  • SHA1

    6ebcf1fd8de63b3b626f71404663f6252444e572

  • SHA256

    0dad13ecfa65bd4210e35201148bc7828a7096c585f94be34cf3cbf274b3fa58

  • SHA512

    f8a8365d66e73265383078683be7c920dd785816007329accb16cfd8bb68a3675b4905a484a2cb583f592601812ae26bde6b123a6721b8497d9b5915f4d8a1a5

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARvxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUDk36SA0xWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3189) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\56875f22059e653672e66730302965c4_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\56875f22059e653672e66730302965c4_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3152
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2252
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    e484fbb6c3c94830dd53cb43b850af1b

    SHA1

    66a26256d60d3665a14ba8eaa41b5f029efb72bd

    SHA256

    492cbb421912e5545ce462eb79bbdf216f191c006e43d60f8b06f425eee4e886

    SHA512

    4dbcb069bb1e1e1993646886740121de20f8220ec273cbdef7569b93d91d92d6c6427574d9bec1103de9f1cd34ce791110ee51be075e038b6afa498bcf2bb0de

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    381da8e46195cf7bdbb5c9e2b70d85ce

    SHA1

    23c66370cea916f080f223d708db474d4b248963

    SHA256

    8db5cffaba42128c71afe64b4c1c1ad01d9cbfa67ac8d68b3e9127b5e8a99bb7

    SHA512

    6c9d649a306922c2e7bda9b9efea1e79a85a11bd3513e87a4cf90bf1fe5d52783fe2cad0b69092a114ce934fca03fe92e830e9649fa28f70b4b8357f69272ba7