Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 06:48

General

  • Target

    5db6252be49081eabdc7b0b7d0d455ff_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5db6252be49081eabdc7b0b7d0d455ff

  • SHA1

    a5fc89e162377830e6f560ddca4c67be5cd76c31

  • SHA256

    422649f12a6895183c1dbecbe09434e29dfdeafe6fdae2cdf1b3b2a91b2bf285

  • SHA512

    3500959af4bce166e804c28301fea1c16238f38da0dd53e9c73df374b9a5c32279ad70da149a619a6bc696dd1a6b8fcd267f17dd2ce36927e3e1bfa1c384e53e

  • SSDEEP

    12288:yebLgPlu+QhMbaIMu7L5N5b0XV5SQeuBRdh:zbLgddQhfdmngbk+Rdh

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3318) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5db6252be49081eabdc7b0b7d0d455ff_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5db6252be49081eabdc7b0b7d0d455ff_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1812
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2728
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    abfaafaba07a62dfce0635888df786f4

    SHA1

    05cd8c7092847363d0ca63ee10fd12276781265f

    SHA256

    69716912ca77be13408f38c68013ac0622a862230ad66ea2ec0d1fb34d461abc

    SHA512

    4364933b537302af48ccb7bc9e0199234b531b68acab4b6e0640b223351752540b5f4e52c78c272c2b485f4a2e69eeea57df1006962e9096781605bf6f36b2a9

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    93e78d65b1deada11008846cddc6e458

    SHA1

    91fb578a4a657723444f3140a528764d0b5af9e7

    SHA256

    ac5c5c028132c1d1947d920afbf316b3475d4e1fe0e430245139b9fa86a05a30

    SHA512

    b27e4ce94b25fa3f31afca83cc3c8c12f2b170530678f95ed16433863e2031e0114a9346937a72fa5a55e45fe37062b8ac59e8ebc5781d8b081eb9cbde047030