Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 06:38

General

  • Target

    cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    cc5ee9ab34b4568b98c8a605d6d8fa58

  • SHA1

    3549a4cb74696bd2b7def20db41d7554781e6742

  • SHA256

    60bccc5b50843c14865d176b918ff518eb562ff88aa2574b5ce0f77895756089

  • SHA512

    0921f6706cca4907b2300977d5ce2d02023af0469aeb871202773f683e8ed53061c99ffe7548d5971204434bbd6f02b96440deb06015cd99dd6d6ad59b856a34

  • SSDEEP

    98304:+8qgz1aRxcSUDk36SAEdhvxWa9P593oAVp2H:+8q01Cxcxk3ZAEUadzoc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3173) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2132
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2264
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    55a4e5a546f6740a62a4723550c0a2d8

    SHA1

    cc8655d786d046cfb1bc29e46c95229e49f6a89c

    SHA256

    d82b2d7bd8c14d8ad5897870cce8a0670d8e8cc94ec09229dcc8d81701ee7cd8

    SHA512

    c5643758acd76b8aeb86cd8ef7a1fba2823b5b0a41c42259c29f8155bd90fd638b7a24256b6b85174381d3b00b7436c16548f0f968c79de40ac7c216065da5da

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    d0765ac79b3086a4d731af445d485774

    SHA1

    444b2efb032eb98eae04950b3c3afe090f332f00

    SHA256

    970951da1320f34089f761f3cb2e4d5cb1486ac6b753845ed7000f017d1f3085

    SHA512

    2e0c668293070a13aae66f22a3b7887edb5185623eb3a03f8741395c9adc7c8e8e240872abe0411da6ef209d24306e1a61628adbb5e9345d2eb0ce36d3a9956e