Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 06:00

General

  • Target

    58e4dd302ee80981a611575f66e97a42_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    58e4dd302ee80981a611575f66e97a42

  • SHA1

    c686c2bfd1b97355f4bc0503ede39e0878bb156e

  • SHA256

    cf2b25d102663d07f13719f79964104a3259d33742fdbc04bf23e7aa3159da7a

  • SHA512

    00383c19ad3d5e4f35c5a63a7dece53d76af3ceb4f1c5dfca7d5223d79417dfbb0da365ee574d682d4d61b4fc0e3981d2293441a35c05950e9217dc446dd0fb4

  • SSDEEP

    98304:+DqPoBhzecSUDk36SAEdhvxWa9P59H2H:+DqPeecxk3ZAEUadyH

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3125) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\58e4dd302ee80981a611575f66e97a42_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\58e4dd302ee80981a611575f66e97a42_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2472
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3872
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    ed9f1204b100861ff8fc0ec07ac0727e

    SHA1

    7ede963ee44aab7fed736f83a87876625b373d12

    SHA256

    cbdf1a6a1f64981ac929d6d5ece3b539bdb7c2562db85c0b7343ea569c131f2b

    SHA512

    d39a72860ca22e87137cec616c6b364a122a5d5868235614dd36cda4be47b24b8cf4964ef52eaa0d0d50b6259cc9863921a926e874b7eaf663c38f7be5899715

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    43a60b4d1577c679f43697c769e52fa6

    SHA1

    dd1e25dca3747bddb33ecc4f61b6030cc4a47d38

    SHA256

    5ce4b4f9680c4e7245e0e53613664ab07acd1353d5e07ad0782f57774c659c39

    SHA512

    ef33c93223a05eccd9a37749efd891449433c31728df035cf0e587d62be126689428ca96de9ad926c4b79c2552d5f20966e7f12dab00638544ce2a09682ef1d8