Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 18:24

General

  • Target

    5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5ac6c60b8d52c546cf33cc04eda2fb18

  • SHA1

    7b4968ef7409ccae84ac1bd22814dd5d41069f0b

  • SHA256

    e0475dd17f50e05ef796dc93da5e2e8f65567998ed4b4783eb7865f2be82b023

  • SHA512

    5cf29473d2f0a14c3b51b22088d16ecf81c3ca050348a91187fcff357513da071a383882599d6f8f9ea2a7c0a6d1c53081f43a3f44d33c78a3a66f834a6cb645

  • SSDEEP

    12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:zbLgddQhfdmMSirYbcMNge

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3083) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2420
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2628
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    ac15c0ef7b0cfd62f087ccb06db91f5d

    SHA1

    97c55ce90ecb1197d39c4b3c3f954bd8105c1c31

    SHA256

    40c89149489eb496635372b379a8f5437c01013d0119a480031a183c9fff4b37

    SHA512

    90de24ed02957057ab5dcb5e97fc03f1165ac97dff491709854eaec2c959c65e10b8a1ca17ee87d3a147d0c6b22d55b86ca99c8365e794271a0179dbf6cf3c94

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    34f58fbfb5b65d11ddc3b677b9907737

    SHA1

    c5e77e73425a71201303fdc5d9ad47d466c57a4f

    SHA256

    d1843b9bbc6b2b0ada802108622174ec06a7602f072d72f9b94f1061ba174e03

    SHA512

    3320d98e7eb92cda02aff16e7cd47b2c2ca5c7e43b581bc78fa1321f82ccb85f0bf619071e3cb5304a4ac526cb9f4cc5c1e1533c8035ebc2f4000211ea12f1d5