Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 20:13

General

  • Target

    e5840a9753ed8f90fbd7264c8db27c4b_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e5840a9753ed8f90fbd7264c8db27c4b

  • SHA1

    8c812aa434de921ce5654a4bc9331f4c36ee1fe9

  • SHA256

    f1d41d03b3376c404cad4725fd62e9c15157074ddf7617e8d3ad05712208a4fd

  • SHA512

    f98cd65b04d859e32bcb922338786e9929b56adaedb9462657fbab578e44397a809d735da42b7821136381ccb27f71a684814ce249f36b46682c4ed22ad08dfe

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3263) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5840a9753ed8f90fbd7264c8db27c4b_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5840a9753ed8f90fbd7264c8db27c4b_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2348
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2824
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    e20e2e53fe61de4a8c508c40ce756b96

    SHA1

    4dc7cb669c1989dc2cab409d40f52c3e9f5c8489

    SHA256

    5edfa39cf049b38394525449a025f409cb65b0517508242f7a2e84b633884a7e

    SHA512

    d7f45aa7472749976ca01f137b7577526c9768ce26d98818ca1945507219abadf13254b473aeebfa61f5ea2852a587d43f0be46a03d0bd3b1c85aeb295cfe67d

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    05bbe4d783a981d01a1f7f48f789be2c

    SHA1

    ce66757ee977f0f3274f38ad847825b381b5ee37

    SHA256

    404d9b83a2e0b5790c9a49c3d3456b8c2ca8225e4e868dd386a4cd85260ea691

    SHA512

    609645c51e1b6d74c36de764180170339ffd07e25cf806a9c4a11811f108b537617cae4b5a29546bb40884712c644cfb5451c1905055ac7d53546632e4aa678d