Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 22:58

General

  • Target

    e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e7dc469ddece531137ede07b94bfff3d

  • SHA1

    eea0ed7f4c11185fd0c5aaaca6b00d0ded3a27da

  • SHA256

    90e1c09b917ba911cdab1b1051cc5ca2a9dd13238764188d6742ecc8e822b378

  • SHA512

    77144aa6ea5a98345d49a97f0ca0be7bd36bddfa70deb36afd8dcfc02f6bbae0746c856630e0c798a57886c69817d54882278a5a3fe6f42c753a6a78917e9fee

  • SSDEEP

    49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:XDqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3230) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2836
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4668
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    5c0bb3e625a472e8219a0cdc25ceff0e

    SHA1

    2d0ee877bed090e4879d9c921d716d97fad28a8f

    SHA256

    2c5f953e6ba448a06f44c266d82155fc947c2a07bca6d0581dbc84f919a02335

    SHA512

    98af64e5b506a06daaffc9756fd8b116d24105d29c6cfd35eb4d64adb14df4a478fbde81b4cf082f2d6b60e29f4032c9005de65488998a37883188a94c97d694

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    3233aced9279ef54267c479bba665b90

    SHA1

    0b2cc142386641901511269503cdf6f641fad305

    SHA256

    f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b

    SHA512

    55f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e

  • memory/864-6-0x0000000000400000-0x0000000000A72000-memory.dmp

    Filesize

    6.4MB

  • memory/864-11-0x0000000000400000-0x0000000000A72000-memory.dmp

    Filesize

    6.4MB

  • memory/2836-4-0x0000000000400000-0x0000000000A72000-memory.dmp

    Filesize

    6.4MB

  • memory/2836-10-0x0000000000400000-0x0000000000A72000-memory.dmp

    Filesize

    6.4MB