Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 02:23

General

  • Target

    e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e3d6846e6da6c2529459bd5f9be05e86

  • SHA1

    a9f80584cbd15d95a13ace4bc8b29f844236e5cf

  • SHA256

    a5faf0eea54bedaf5c0d79f670bea4967caf93340835cf38aa091ec891643b97

  • SHA512

    de8ab5159227536e2970ab46f2afba9e2a9ad3c5d91ddea8517a3688a83f4827bfe24ffd3fe2f93c06effd9d39b71712c8cec7ddb61feed991fd6d253c99f34d

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdOxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUwxWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3272) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2392
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2848
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    dee38bd6e6d47b587df7a79ab0832512

    SHA1

    0087640aded547b0a138c0cab81c90325d461de0

    SHA256

    bce85c427a39ce11309e228167281574eb1fee9c4aa972961611f198b518fb1e

    SHA512

    212ac2655aa8661fd31b7625eba1005c0bb439e87014094de4a02c7afe5ade2ce41418122e2c6c19ea3574a0b5a00067d81967b74d9e89647378d70162e57eda

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    65a92b9b3ebb2ab6992ebd92a10b066f

    SHA1

    87c62a9257ba20cd3fa47c0d32495fd61c3a84bd

    SHA256

    333087e8849b260b771d42eb89002b6717cd242034306537cf18df82082018d7

    SHA512

    0e536375a512525589597a04f8135483f8cdb129640a2023ac616ce06970c5cb7e3707b3367c79dda64ebb87bd79d39e41c9a2ca35b3033b2a7669eb8e709c21