Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 12:39

General

  • Target

    e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e032dffe8dd0bd5689752d7fc27846d7

  • SHA1

    726772e281049e0d6f49e5d61e45fce1b53fb2e2

  • SHA256

    e7ce294f262e3ce1214c17e16e8cd8a18217c2815ca42c7e0b71865faa53f34b

  • SHA512

    23578d60da045f542d8b1e2346fab09ec8d02d234a00502a94e561cb5d1fa6c707438e3e54116af2757c7276711c7e7b9e94af7908105a6825fba36beab42b0b

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0JAdmv1LJMfcH9PO6LLuYFkqAH1pNZtA0p+9XEk:SnAQqMSPbcBVJnvxJM0H9PpAH1plAH

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3346) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2652
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2432
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    825d6cd71f46a9de1b39a222c33bc228

    SHA1

    c313d608d51f57db2e2b14edcf3443687086b25d

    SHA256

    18cc3745d6fbabcfabeb99e74b0db8f9864e452b3c5f6be862e16d6cdfc1529b

    SHA512

    28a149f636d31e5a90f7efeabeeff8da5e1446f2d5ee9ee87a86c7b18e20a219f2446964fa804d1e002b76ffe25f0cc76175d1540c6a3eff726fc31db077329a

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    3f6b2b6f4108b63df0b940811605ed7f

    SHA1

    534a0bcc3eded2460d5aab1480e118ae47559e41

    SHA256

    a45c4f9f781324a4c0daf1fb771213400cd92cf9f7fd7e5889e775644c46ebf9

    SHA512

    4d885d9d0f444dc6dc5c01ead8747796cd4094e3d36b23c0c2e64bb81bab1af4f1414af43454830f3797e12020f318578cb5af1a4608f3c69503fc37b1fbe431