Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 10:14

General

  • Target

    dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    dffb92c0afe2eecda3ae8dc99f4fb5db

  • SHA1

    cec78b84ec2db7a72ac9e3014938f2e4bf956761

  • SHA256

    2375834bedd9f22ad5ab253ca9edfc87e864fd3c2e6292eccf7a39f30c1b8b53

  • SHA512

    7a798be9c773ba8699dc4e3ce6053850220582f12847d1d1403d97fc1632944ee76db083a9f88014061967d1f69853471356eb84bfe4dad5398091f3e90aa53d

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9d593R8yAVp2gC:TDqPe1Cxcxk3ZAEUarzR8yc4

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3262) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2656
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2772
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    fccf94aa84dcb7863d69593df73b65a8

    SHA1

    3ff8506fec3e6f798cf55b566c87f37cfd0524d4

    SHA256

    d27643502aa940f976c724f3001745cef35cfa444493bfad0f4c24b093183639

    SHA512

    24621abd89b64c35d58eb23eb4eea9e27808a70c3192c565e2d2174ed89529b1700befed92a493aa8057dae2e6215e75970228ffb4c1ceb78cce06096f888659

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    25b277bbd22f41feadde4d51c6919aa4

    SHA1

    00d0da1d933637af5f16f966312dff4ed0bd8f85

    SHA256

    194f866fea27893004f7e1f241928d0319597e8d666749b2d360f3fe97a3995b

    SHA512

    0cd34ae9b0e041f3c00023d50d211d255d286009986aaae0da1e8a5a98df12e9a15b1f3e1bedb6eef08c9995ecd1bf7afa92627bdec88f2bdea60b04539e3216