Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 09:05

General

  • Target

    e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e67af97c23d7df391973c3ed453a65dc

  • SHA1

    ef3c913ce273786e0ec981d06a9cee26dd9f387b

  • SHA256

    79ca12b2c18a8f9ac7508178384e4b6459592d7ea8f4125018f0b9db5b04bac7

  • SHA512

    868191ca9d8667408a17ba5818f925e722624f86dbcc842b9d08df659a6c7e3f54049518e539e17efd5cc718c805f1cc14cbabd88b9c71330d0ac450b0ddf2b7

  • SSDEEP

    98304:T8qPoBhzyaRxcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPeyCxcxk3ZAEUadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3059) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e67af97c23d7df391973c3ed453a65dc_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2992
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3064
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    29c9128035380b20a6691573b09f4111

    SHA1

    a8feb5633d3a5133a1e98209d33864f17102a6a9

    SHA256

    b450fe2c830e6463d0d28fe3148a4c31cf0fbde2cf45444ee0548766a1a26bf9

    SHA512

    22f303adcd196ccbae3cf897a79c3bb64b27287d1df3c33a3bc43507313ec33181c8dd97449410bf0b6df06bb91df9bab5a537c5fbe14a46e1ce359bf546b675

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    bcd926f16788cec23d44a8ec1a2a1c58

    SHA1

    5952fa6e21717718ec8dfaee0be1d873dd130446

    SHA256

    1c4262a369bb4c7f5cb3ac30d3a3e3835b69732827aacccd86d097d697a38d63

    SHA512

    8ea88668230adec33be1b4b713b1ecf7cff0a850557efbdc8920a2974d22001a266fd9fefd562025b81754f49060a1673fac7b778193c767d4c206f3806ce70f