Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 03:22

General

  • Target

    5cedf628866eef92df09341a720db13c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5cedf628866eef92df09341a720db13c

  • SHA1

    0f7579ba3e6e41fe8211d0e90ceb0d1cec645ec1

  • SHA256

    b641037e26c57e6f3839df9d388ec8d2c3167090e313f89e8b5012dbc3830b1b

  • SHA512

    e666c6e857105d32c34d8f8f4a489d915b472ef174c65fa3b50f9fca63db73f7d118fc22566d212b906973e6a420cf361f494320a2624b0e5390dc898542183f

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6LLuYAMEcpcL7nEaDNZtA0p+9Z:SnAQqMSPbcBVQej/N9PAMEcaEaDlAH

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3334) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3432
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2904
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    aff14b466d82984703b5628328cf9ddf

    SHA1

    0b4118a94826ce74040ae2daaf3c625e6dbf5096

    SHA256

    3eefb2cfe6d4e562165a9d404f3b25e84e5fc763dfb9efbbcdec57cdc81aba63

    SHA512

    75eda47898406f391ea484685f026823dcec25c24b76b1cd31b7c3dc5f38b12e72acff8d2b5221c43ff8b6bb11f956a5147c0389aa0088fe04522776d1ab2081

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    b6080a4008ec849e25657b077f122318

    SHA1

    10ef785d015da5e7d004ebe1185f257b753b719f

    SHA256

    300a17f61a1aeed819f4b0e139402eac2f5fa903600f197e63e1eb06fb0c3ffd

    SHA512

    004ccb55e9e5ae57eef471ad53d2ca6ecec9a6db56ae35c8dc8045d348b6b066a349794afa189b74b65507fd6728009390ef7b7e948bea45ffe758ee2b27f55a