Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 02:15

General

  • Target

    5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5cab58ca89303bf395a7a21c0d81b891

  • SHA1

    0354d0a4ebb2255d10f3dc68c15c74bb745fd082

  • SHA256

    235303a669bc611ea436a4a300c3171c085cc32c0d3dad4f4c720ebe64f8c0d7

  • SHA512

    c84b21fc53e24f649103a9a1e43e6511889e9cc1a98366aa890d173f7c5be1700533bc97ed6caac0da0de895558af5fd7be5e47749f645ba254360c1c74ad15d

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRdsb53K7jSWl1y:SnAQqMSPbcBVQej/1dsNwHl1

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3286) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4812
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3916
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    7eeaacbd5f313fc56e07647f60238244

    SHA1

    acda2b34c4e3788a1fad97cafb6d087e19f111d3

    SHA256

    d2b0cff38e4096f37fe8859fc17b5b589a4dfb7ea89dee6c6c02631d5ff25dff

    SHA512

    fe090baca777c8ccebe020f6dd577d14c259f5e53a7591466035d57c1a4520fda384d2bbf8f1d4cbf5d6746632bd0d8e1d2af49749b60d37e48d99738b37bf30

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e12f85b3cbc8a466ddce8dfc4034fabf

    SHA1

    2c4f27164c44058c4b60b45cfd67dc4f3361b8c6

    SHA256

    dadc4dd02b14bfca85a0dfc06bf8cbace568386c5fafa35e4bb6a26d47f03ea5

    SHA512

    080016307b18f947629b42650221eb024b08f6cd3c692928da1f6492bb81c7ae5d8839beb79db625f1d70a41120c880fe408ddd7ca1db0e73c989c42814f355f