Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 03:31

General

  • Target

    e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e19f1bfc80c2efd58a78e80e4b1b3abb

  • SHA1

    d198cf287892f6ea3eeef8504ec3d0d99d826d49

  • SHA256

    0e1ea0693da53cd5c2cd89da3feec4b44f2caf653f461ed1f7123bb6640e3a66

  • SHA512

    fa16a3face3682724f2f4caf0e22898dd2cdf77c42ace6332d48190b172e9cd17363a759688f7126a65f3a9cfe5540e94bbd61ba9e12c543252ab5a7b5f4983c

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAFaEau3R8yAFHAD:TDqPoBhz1aRxcSUDk36SAq3R8yA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3269) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2088
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2740
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    ff54cd70bbbf4da8e0b839388991d544

    SHA1

    b26ba3f15325b7a85d200c1e2ffdc8f56f52fa38

    SHA256

    6b46ebc05bff3e1446b586518b546bfdce385ced77fd52de1ae7522b286dce72

    SHA512

    1079b5b098ee1b154d42faa61032d423e1fcc3bc0c04cca017a22dda4ac5e38498da9cdd7e665853be094194ea03615cd5fe1f0b58dac62c14686e5be9d5c712

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    f4932239f899a12de4d28d42ae2b15fb

    SHA1

    2b886a35bb9f015289a4d7c6c49c0a8d17fe7826

    SHA256

    ecbd513dbfaab4f84bee7e745fb0847bba3bee17382d014612f3ae26039d5ac0

    SHA512

    b50073fdb9388e507b04aaffc654a3728297ba2ff7dd2dbe8ab6e9f343980b6e28b6ec5d1b2b8f7345ef4049b3bd65356115d67dc8a7be53ca28418fb85be00c