Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 21:29

General

  • Target

    5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5b8fb99dcfc1089a3abced87b213a7fd

  • SHA1

    220bd0fb997d2a212ebef550d4f3c05230ee3379

  • SHA256

    2a529b40784ededb4ff870f10dfe9c1f004706f24196f1ec97ea7139255bc129

  • SHA512

    2b21c0e61960e68d095687d9e81d32b1560fe44a6b2729cdc6ad9e5d88475f15f3388502589f136eabc8ff4b35ba4b8576ab3c923a2c2170eb998731efed1571

  • SSDEEP

    98304:+DqPoBhz1aRxcSUk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxci3ZAEUadzR8yc4

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3229) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2020
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2808
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    041b27b42ab74cb6ce9723a0b6475426

    SHA1

    ab3441590d43921d7a6d0bd8875bbb089c7a88d7

    SHA256

    265a57fe143250be0f032dddbd3c7a219969d0a09172b1bdb91eaabc2ae39b19

    SHA512

    32786239de6f5cee56ee8a68faa4a7b9916e2db5bbb69d1f5d4236189789531879c7531c9409af77d3fac679f319c46a38af3796374ca71d5d8ef1922075ac4f

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    233e77fbd64fce3df5d4e1dbf2d5222c

    SHA1

    deeea9b45bcc575790236ac9db9730ec9dc14ea6

    SHA256

    2aa9788c06731fcc190c1f67ff7dbc4c87340b563acbd02df6e9e3f1ddd3f963

    SHA512

    e5889bc5bfaa73d62d9d9d94c769690867059672a10d494a0131389a51e9c018fd97cc93d1b2be24b484924c77910a60d32b6cdeba8bca4eaeac6694ab8092b0