Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 15:10

General

  • Target

    75e24aea15162245448361892ea979d7_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    75e24aea15162245448361892ea979d7

  • SHA1

    eb45e80dab5f0a686701cb97ea3bbece94f467db

  • SHA256

    22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999

  • SHA512

    1bedbf28adb48e5fdadf5d8635c61462edfd716ba9a9b6ce1227daa280d365ab48510024557f54282891b2e8523f600c5a1fead6cbf78e3269e97e865b337a1c

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3293) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2228
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4588
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
    1⤵
      PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\mssecsvc.exe

      Filesize

      3.6MB

      MD5

      4dcd1a0e69737b7dabfc674939128b3b

      SHA1

      6b52a9657275749f0bb9aaff087d9e21775f6852

      SHA256

      a5ba3219efbbf382fb4fc972549afbd7d721c4b49b4af92b8a767ec23de26a38

      SHA512

      bc4a882c520e5b2aa9c0a91b917e9aa13a1a58e9667ba37030428df0296d3e863e431d8241fc59079b8395e748769e366a68fbada74c1107495ddacb8a9dcbfc

    • C:\Windows\tasksche.exe

      Filesize

      3.4MB

      MD5

      52b3e549e037de9a3109704ccd4aaa72

      SHA1

      f382881b2e454977b4fd4686834866350ef66b94

      SHA256

      d6361700e59b6339ed38270a4970b512f08f1f9dc8819e03d5b7bded7f1d5714

      SHA512

      7a232b012b314124a743dd8569a5a5970b4d6bfc0445fd12d74bc203135bd8a8d5f5daf0ce30602825da3a87e77e57192309eefcf96fda6a7439ae6806eba948