Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 06:58

General

  • Target

    5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5dc0a27073d77e7fcb31e6b5a5d18fde

  • SHA1

    780c0940d070b2ebc067d8873f05c20895e3cea1

  • SHA256

    1865fd125de56bba74cf36e50f32b9b427c5743c9d57a7f583cc2c45245c5123

  • SHA512

    e7ebccc55b9a4a31d6f563d0752c648fd588012a89a67758308691ba36e781649a01374052878bb725c6c6ca5b83dde2478ea250a6352fe32accabf300956f19

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626:SnAQqMSPbcBVQej/1INR

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3032) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1656
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2632
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    8aa585b814a69a3fb24eec3154a5ced9

    SHA1

    71b5c24a794a3b7657c6188068dcbc17909ccd40

    SHA256

    5a625c6c21379f75154204fa21e708ce9f9bbf316b68c9e97fd3a38929288a6c

    SHA512

    c38a10f263b9069b461570ede72c892437e9efa1204de3930bb691473de30f0a264d288cf79714ffd504f728a782221e0439bacd13b81ecda27be36f14fa87e3

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    fe54c59b29dfa5dc511e66bcb7b10ae9

    SHA1

    8b0989fd5ae7f5dfe76cbcba5d5a7edbaf4e48e8

    SHA256

    372052abe79214f4102a5bc9dacc87376bff591a838fc51af76f1389ee07621a

    SHA512

    14cb0b620eed82f1363254903df7cff72799d28554eab893d918edada9dcb9c1f731307f9c46562d8c88e4fe14a1a585cc89d7c07318f477685fcfe7b2e85a78