Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 23:31

General

  • Target

    5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5c0cd89d9e1ff7747387ab9bee7d43c5

  • SHA1

    4f865521d897a753e087bb44f25fc2602b4e5b20

  • SHA256

    91fb89ed984138ddff0efe9056a013f9d463ff1902f07e39e23bed48854c3aaf

  • SHA512

    625502fadb3f31d20a987a39de159e66105b7b15d25e616132fc5320860b320c0ef4f07f0993c0a24ae21f32d2c621f0a4e633522b360872705a4ff2cf6dec8e

  • SSDEEP

    98304:TDqPoBhzFaRxcSUDk36SAEdhvxWa9P593:TDqPeFCxcxk3ZAEUadz

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3235) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1664
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2712
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    6b6feafa11e3352d7637c80ed10aadad

    SHA1

    f94d3f9219df5be4a7ea8241d4938553c0a40dba

    SHA256

    5623dfc6e8a88f6f0db827ddc3088700c431d7dac5bbad6c4daf6b9845026a97

    SHA512

    f534552f016428a08fb231bca77e641cd0b1e56ecbb4597a5e7aedc52df87c6cf9fa11df1e4ee3f011d17520d1969beefece1c289d4a5b24a46b9d522fdfc794

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    c23b733cb4b2e6cc839470cbbed68602

    SHA1

    3936b151af1ac7bf399ef3081f595d8c51cd9c4c

    SHA256

    73d252a066bc6754f3f77152c099ba9889e3561523b050013f24bb16eee19d23

    SHA512

    69e8a592ad583742ffa38752c6fce505f2c4f0491e6e77310fca55509581217bdd6a3b1ad37f63531a0b335d15d85b86af81b0bbc769b5618613937f7495601c