Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 09:31

General

  • Target

    e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e6855434ad2a02e8bc34813775695668

  • SHA1

    ff68c8f1f3b9d8954f77d6884bcd29d4c7d48af1

  • SHA256

    1c2cb3a8cbcfd685562e382651218cc0f0b18589482402ae4d3c4a5ab266c39d

  • SHA512

    6057946841388660d82708aaac0fab22547d631b1a2c0dfd0aebf56ac07116ee583fe8dda31e45fa1e1069791cf3f42cc699639a47556b778bf546b8847545af

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZAEUadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3292) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 5 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe
            C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4408
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 252
              6⤵
              • Program crash
              PID:2960
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 324
            5⤵
            • Program crash
            PID:4168
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1408
  • C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe
      C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3840
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 252
        3⤵
        • Program crash
        PID:1348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3840 -ip 3840
    1⤵
      PID:2872
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
      1⤵
        PID:4368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4408 -ip 4408
        1⤵
          PID:2064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4324 -ip 4324
          1⤵
            PID:628

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\mssecsvc.exe

            Filesize

            3.6MB

            MD5

            c223a0feb037ab17cc273a40856395b0

            SHA1

            d4f498435c23027ee324bc93494f871dfe8ad7a9

            SHA256

            47a0caff0fa7159652f377ab3ac01b70771aa45cbd3b1567f752194c38f4ee6c

            SHA512

            69ea8339e33c5c7706411da7e2d0c8d2b8cdd4516f72a05aa62ba9093014e3d7542345af9c00e9f36c53f674b1cc2a6546bdad2c303c1cb3aae795bbdba01be9

          • C:\Windows\tasksche.exe

            Filesize

            3.4MB

            MD5

            e56fca813e300a87483824b2924a9b45

            SHA1

            e2055d48fc7999dd8cc9f5b3e94ba12948d5a8e2

            SHA256

            bf9b9e4b3b71a9cc47af24acbd525dd76a7c956049029e714c3e31b21507c70b

            SHA512

            246a0868b687a0ed8c22b5cfcdf8a8b36d3e40100c8ddad65a491418192889ba9a77ed238ed3c921812a1654287b7de437f89a014070dbf3f5378c547cb45e10