Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 16:27

General

  • Target

    e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e5283d7cad73eeb1085e3759669f7133

  • SHA1

    e66ac36a28e118fcd4a317df4960e4c21c573f42

  • SHA256

    222300534ae7c6e8390677ed8f46a5fdf0623e9cd1cec973ef36d3a33d618f6e

  • SHA512

    c7f36a4379c78cf57ddc324422f121bd5e7164ce1e296368c09b07bfabcadca8bea4eb43e35d931c94b61ac128c6cdd1617b9c79ec363df1dbca64b6d8f84ebd

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9E93R8yAVp2H:TDqPe1Cxcxk3ZAEUaIR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3263) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1652
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4656
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4512
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
    1⤵
      PID:3532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\mssecsvc.exe

      Filesize

      3.6MB

      MD5

      2af2d969f584d38d43629d0b79f84091

      SHA1

      7e85ebd4b4eb232c4a308ff42df95dd1d95166bc

      SHA256

      e29626b985d6149f9ff0f1d4ac12c0313deeb91d313f0b5b576782da7ebc83d7

      SHA512

      bdc304abfabcbe21462b7be02e36e95eb79051a70261951baf2917f6d19d19f9f59680f6dc5f9b6a97b93643e2c361cd41d97255362a07372f719c25139eef59

    • C:\Windows\tasksche.exe

      Filesize

      3.4MB

      MD5

      f78a86fa8c5e78e6840fc0751a284d2e

      SHA1

      06140394d139c2db05e3e9f9fd5a67cc706c467a

      SHA256

      3fac4ebb902c5af67b6a6a67732b9c4fd9c6cd8f9fb6860c023da1a68a28ac02

      SHA512

      a63817d889c3ab74d0ef55018d22bfee9ef0365ff9f852becbda8dfb24320d45d68fd1733365a52ee031ad2b0de550bd68a8e3843ef1496de40ee36407601ae4