Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 05:12

General

  • Target

    58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    58b7152ec0599aaf336db5f8df6e3647

  • SHA1

    bfcafc318679ec430a5d88d32f9476db35c108af

  • SHA256

    e82f6b644a96bf2319c217eab06d7fc0c2e4b1a49d15895e7959231e4521da86

  • SHA512

    e6df2efd598a58209c361d226c1a5caab6619a7a4911f5a9c3549ee1c447e9068cffc6dc906511ecc1db61c9b3c65067479a30ed0de59da801f9acbec38fa520

  • SSDEEP

    98304:TDqPoBhz1aRxcSUZk36SAEdhvxWa9P5uR8yAVp2H:TDqPe1Cxc7k3ZAEUadgR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3289) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1208
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:5080
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    58091afae2724ff87eaffe7094c46bd9

    SHA1

    5208f090ddf4c4f7188aaea70a9af7446ceef673

    SHA256

    83519ac27cddf8ffbb13aafb222e785be524979295d9c31f7e442513ab53668d

    SHA512

    e14ed656e4aef6b6e2fa98db68491bb3058f4d248c4d37e82ba07d99c7de086addaa9ba76c3d0460dcaa4d137ebce328b7f70dc7b367b068ecb1cce1f3e9774c

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    db907ac4209f3d5f7e04a4eec7c684ef

    SHA1

    1b282679e203159340fc5c4553095e1718f581dd

    SHA256

    02be61c18e061e7b410f76a3685b5e18c13f506fc7b136f75413c45171d1f8d7

    SHA512

    5bedd41a11ff739260bbd0553e55d365109733df1a722cfd8284e71abe8a347a04d0f282e1593711b79168773712fe8b5b0c66baa7eb0a480a09084577945531