Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 20:40

General

  • Target

    76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    76c2f0bc0c37fe765f7c147cb72edb62

  • SHA1

    68d778d4da69cd5722cc537a965668dfdce2bd4f

  • SHA256

    847521d5b3faff34a8f6313506d6f232c9fd99c65bea3f3305d994679ead6216

  • SHA512

    c0ff78e4e838fa3e6694f5df06d47d38ac03343e79564f7966cfdddefc964139b4a470f7fbf18ff294983699feadeff576355b2746afb76048aa5172a9bc76d7

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIOASk+RdhAdmv1LJMfcH9PO6L:SnAQqMSPbcBVQej/ZAARdhnvxJM0H9

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3148) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1368
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1400
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    481e5fab3071074c36f0a8b24fbb0777

    SHA1

    adfb30626b3ff66306bba5fdd86566f92a8a5985

    SHA256

    317dbb6511b79af9727a1b5542afcc1a9c808e8b998ed845734ee9de6ea9676a

    SHA512

    3ea38a98f8823d3d376bdb18394af8f47ea3e25e76794cbee76fcc55366b0c87963101de21fe54e93a37d21be00d7c9aed0b56b4151c4d143bd861dfa25b3457

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    831b7cfbfa474f35bb2b37f69fad80f6

    SHA1

    7fd8c6b68754d29954ddbbdbb4960e02c17ac630

    SHA256

    563fd6ea2af4dab336e868ed4456ba21abcf60fb647f20baa1f64aa5d67897ca

    SHA512

    a86755d7d21c79f1b2abfb59c6f0295a8bd0c5f0a0c217750ad35c13d0d37fca64e3ce6bfae935164751fd0b9151da9331bcfc62ba507c4beb9b13a346b28140