Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 10:01

General

  • Target

    5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5e79b8fd795d0477a8cb667aaf5be84e

  • SHA1

    37936a4683f3bff45a755cba139da3b00f87bab3

  • SHA256

    e440a0d0eb8ad565506d1eedd833b4f696ada45c8eb2238da44ed41b717404f4

  • SHA512

    0736cf17551eed327535c321b83696ee1465ee8c9fd5d719e5cb192027d865bddb7ee9f609350797a95c10af8ae0baaddd790948e817d5b6fd985eb3cee52bf5

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:TDqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3185) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1928
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1432
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    7ecbd2aaae989b4d8e4828634afd05f3

    SHA1

    2dac984f34ce9b8a33fcbcd5582ca2b5998851e3

    SHA256

    f61a328b3c0f7c302f1ae2aa5035805477f72ca43d3426fcc263f5598763e84b

    SHA512

    a922dfc44ac2d4450cd5602fb55cb44a9878c0f0ebeedd0ee664985b833eac2c8a44ce01f43593ebce2f86e1cc1aa38dedd33f64b3f374475f60f331b0df27c5

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    5df060c882b909cfe7f14cb151e38e65

    SHA1

    14c6a5afed8963b4e98399f8b890a86e527f0e98

    SHA256

    c22aca25405025854efd5eeb9ff4c8e42dde87110de9b34f94502c5bc31020b9

    SHA512

    1e8e600119f3a615a7a9c90851e9a42fab787fbde5e61b3d7d01fea09eeb920de32840fd82e568da5343e94283f66e8440d7d82eb628d905841a5c6ab8ca330a