Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 00:58

General

  • Target

    c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c9f37ba6a50dbd9c6b1d151f66e7b021

  • SHA1

    fd82aec0d4f6d49d860a597f7eee952e1b58448f

  • SHA256

    b00dc01a768045681b399dbe9b064a71ab8e49e415211cf35edb4e8c5091595e

  • SHA512

    86cc7f21693ab39def1b7efe6037be77f9690ea00fa8904d2ff408541459d23f711ed8c5cecbdf20adb96001b92841a6aeed81b9660e23350bc1769647bca5da

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5/p2H:+DqPe1Cxcxk3ZAEUadJ4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3281) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2968
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2696
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    38e02ec4623c82f324ecc9b43418656b

    SHA1

    38dbdf0a24b9f331177dc48a33daf62b1a6550ef

    SHA256

    bb350eae66bfbe94e55099d78f6b5926df0bc0960cd45222da275144ebc95d94

    SHA512

    7b68f24657bc4173cc7be3fc0daf554db81d2769d6ae5f42f77ed9b5a181c009fbd1f8cc249ef4457495bb105e864d48b8729eaadf6b0ecbe65b26599a4fa5c5

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e35598dcb413a66da5474f4ac58c7dd5

    SHA1

    ad37e1288927561e020922032d73cdc990f05a3a

    SHA256

    5dba8d2490b4f0f7f71a0df0aff6dd4c23fd50dde7d8ae2d66a9b05e5f7b484b

    SHA512

    955bfaf5069e880d4481e31e3577233237810b5de170b1722ec7bb9cf657f267ebfe82040a309656a9c05d658ba297422463cd69524ed125cf6b91c4699c679b