Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 16:27

General

  • Target

    e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e5283d7cad73eeb1085e3759669f7133

  • SHA1

    e66ac36a28e118fcd4a317df4960e4c21c573f42

  • SHA256

    222300534ae7c6e8390677ed8f46a5fdf0623e9cd1cec973ef36d3a33d618f6e

  • SHA512

    c7f36a4379c78cf57ddc324422f121bd5e7164ce1e296368c09b07bfabcadca8bea4eb43e35d931c94b61ac128c6cdd1617b9c79ec363df1dbca64b6d8f84ebd

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9E93R8yAVp2H:TDqPe1Cxcxk3ZAEUaIR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3216) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2488
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3028
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    2af2d969f584d38d43629d0b79f84091

    SHA1

    7e85ebd4b4eb232c4a308ff42df95dd1d95166bc

    SHA256

    e29626b985d6149f9ff0f1d4ac12c0313deeb91d313f0b5b576782da7ebc83d7

    SHA512

    bdc304abfabcbe21462b7be02e36e95eb79051a70261951baf2917f6d19d19f9f59680f6dc5f9b6a97b93643e2c361cd41d97255362a07372f719c25139eef59

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    f78a86fa8c5e78e6840fc0751a284d2e

    SHA1

    06140394d139c2db05e3e9f9fd5a67cc706c467a

    SHA256

    3fac4ebb902c5af67b6a6a67732b9c4fd9c6cd8f9fb6860c023da1a68a28ac02

    SHA512

    a63817d889c3ab74d0ef55018d22bfee9ef0365ff9f852becbda8dfb24320d45d68fd1733365a52ee031ad2b0de550bd68a8e3843ef1496de40ee36407601ae4