Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 00:39

General

  • Target

    e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e5d9afc15dbafccf2423aef31f8b1a8d

  • SHA1

    7d0e689cff29f6a950c249692e7b0ef554c3136d

  • SHA256

    bda3cfc35a9ce7e10e42d2e3f85004b9d193c0cbb57542dfb9f5861628ad4b89

  • SHA512

    c0366640b4f05866968bdd0e061563a927f568f5a6d90925670a275944471aadcccfe7f3d74a0b4fee649bfc9db9e0d337948ad85c2a223e41847b6effbf3639

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3346) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2700
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:888
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    d9ad1c26c753906ccea5cf5941da1bac

    SHA1

    791d00e8d01fe2b722c411992f3bf39d14456a3c

    SHA256

    1214fda007b506dea47071cd037ac4cf4d196d6f18bcc93083607bdfce27be24

    SHA512

    a6dddc5c8bb2ca217062339db83a9da7dab31b0f8efe19dd72801b86194294938bef45ba36d659cb49fecc162fe50d307683ba7eac8e160a201225dd1034b647

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    3e1befae374a1a3bb80b6ef20cb85f3e

    SHA1

    758ad920bed76647fa82334866043ae65adacdd4

    SHA256

    45dee32ff83cb4e110d387ddb5939144e96c55429e40da2f7607edfb857a8a44

    SHA512

    50ccbc938623e4ca4397ecc5a883ef9680afaa2600afa30f54db9e0337f3ee305e5452cae7c0ca78bf224a7fdf5e6669b79222423007138a838ada90cf94d86a