Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 15:50

General

  • Target

    e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e976d16465fed8b651bbb7048627c6bb

  • SHA1

    d74537b257ba5239623c339df5a276def07dd7c2

  • SHA256

    758aa3fb563516108e710069a99b5e5f7a8a2b37ba18462b9ebaebd5f791137b

  • SHA512

    b3bc2350883ad13784e5838ebb02eec3b26c2577efbd2b856f5d02dfc0f4b73514f0e95a480481823af7427c5fbd4822c247b55526d4a1b7ea596260d1f051f3

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWaRYod8V:+DqPe1Cxcxk3ZAEUa

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3135) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4060
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1808
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    c462be8230e941984e90a06d38e64894

    SHA1

    d495b0d84a79b29fe17d7a8134bd307a70b9ed3a

    SHA256

    2b49f9263d4f977f9e56be0b6ae4468fba84e1908add67cbc077a55bd2f83c11

    SHA512

    6fb5b4e786cc56f81fc4f3537ed553bc77d61da81447e0e1fb038332a03edadc39a36182c5f501bcb95ad822161c864c9afa83da98762ba20a572bd26ff2b07c

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    a839cfbbb9476e6c97d696fe6cedda30

    SHA1

    3c01d4adcfe88672685556c0e98fb5d407cb5522

    SHA256

    eeca969e01d66a71a7ba803864f0de38a8018e7ff58f2cefad2a1a94ef9c27e9

    SHA512

    233d92ae8341895145f400bf98bbc25b8c518a91d5e081ebd7f7d7c55d06c1a1ef641ddfb237516edf3a53b38891fbcc8cab1f8a7eaff83a4958c517fe6bc59e