Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 13:51

General

  • Target

    5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5f6a324dca637003e4e3176a6f3e005a

  • SHA1

    f0bccfb37e2a5afe27e79d9dcca65e239cc18f31

  • SHA256

    6c92686a13c94ac170d887061a2d82bfb922b22d4aaeefb6665a811087ea85e9

  • SHA512

    667e1fd45bce9fb31d763f4b2753a3af97bfd562bd58f05a32b718e7b2f3502b417d9f04a5afd03b7e225ea8a613a32ab9b2a66c5b1980d4e27f1db13387df90

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAu3R8yAH1plA:+DqPoBhz1aRxcSUDk36SAt3R8yAVp2

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3335) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2864
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2404
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    777caf590b80ec7f8d043d69d13eb3e8

    SHA1

    17ae4be358cb7923f7f161160d2210312a8b8146

    SHA256

    257eea1f0b058dc5c3e8773d0491c87699d9612b89c1bacd4916c78e03661e5a

    SHA512

    a8ca6bce5f5d52b0137dae595ee56ce95ee7d7eef143b160cfdf0ef4c037cc4804fe06d39c459b10584823e9cf01c2920e69fdc69ee3aebae831dddfdb7904e6

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    9464efdb9950199ac4985f0db3305361

    SHA1

    0e7120281640859940fdec098c66b33efde1125b

    SHA256

    5555abbc0d88b011af5b2c904f05c8db40bc52787e67be19ff7aad2c20beb45d

    SHA512

    342915529130283aa5a1e7df193da0bff5258f8f799147051bfa9fb03701b7381707e7dcd7b3126c1f97c4d2e144b9dcc30c8e785ffabc3c40e35060126a1ee2