Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 15:35

General

  • Target

    e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e2d020e6ae743949b87756fc1c34215d

  • SHA1

    8307a670bd5cbd866fde71d420a08979312b2d52

  • SHA256

    5d7c8a086732b2c1d968f1b6888923a7b874b5b1b7e09fe078c8c55feb421021

  • SHA512

    c920498ae3a47ac15527654549ee948dc6b93f1db738bedf61846a96cdb2563d2a3f99624c81c417dbb14ff5feb3c1a5a5895feb1ce3a6e3245ceae7430c775f

  • SSDEEP

    49152:SnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+8qPoBhz1aRxcSUDk36SAEdhvxWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3333) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d020e6ae743949b87756fc1c34215d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4312
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3044
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    8909dbd5b9feba5b5a9cadc6e8d850b5

    SHA1

    1ebb6fd36521bdf8c15d13b921a9f576d89b1107

    SHA256

    508dcb3abfa56821f8ed720f616758ca467c49a32785be3311384579c2def1a5

    SHA512

    1f4d317090b075770a5f61d3b5a4e77f12dcc0e2ba54e73f69b0b3868f256ddfecad344549c50b9e54f94a81e73a43910c56635541d69095c927f78538ddb852

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    7fe62470dc5ee0e84ee02cd5526f7c49

    SHA1

    02ce9ec4aafca35def3c1cf3f20ec25bb1a793d5

    SHA256

    08d900ea71c177d36a5556be14111b208b45ffe9b08a813587a4cb3f5b191cf7

    SHA512

    e5809b14b3f2b070ec1824053b72859a24a23cfc538b4729fe1773a1b86d39e49e2c095522b9f075e4ef4809497c3abd44e23dec453a659f786f60419de30d0b