Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 17:06

General

  • Target

    e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e9965bd5de99ff82cf91603d126fa6a5

  • SHA1

    01b2224fa44cf5246a1c572c2597eee1a45a6bf0

  • SHA256

    33b5630ab1d80689c8644dcefd98a037027009c336ec14dfd10a214b21110333

  • SHA512

    8dcd5716762beff51a9a36fd03d1385086275d9526fe6d43112c0407f66e22b9e47080361e7ad70f619a08ec07881b915ccf3d42883da93ff192995e6e941c25

  • SSDEEP

    98304:+DqPoBhzTxcSUDk36SAvxWa9P593R8yAVp2H:+DqPeTxcxk3ZAYadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3215) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:708
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2732
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    d9202038c45f98fd99e025c07dcdff94

    SHA1

    d657274387578a54ca74507ec7a6528468426419

    SHA256

    5a71f2e86b516c3ea15a1fecd56c0883f0969abd3f8867f8f7b88a9a177f5a43

    SHA512

    fe17e73e39797cb277a3c421a97668b20d698788b49a07b1c87d3741f1c6a0748487c1ddbea06db39eec027b37069dc51e7ab60eb2e746ca7c36975817b65388

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    c1cac710562620c5ed1b2784518fdf1f

    SHA1

    3ef49cab7c4561f95496650f3aa24619749879cc

    SHA256

    3086a44e93c777fbf952e57884fcc00be4a043ee9aea8fdd6ddf1410e8115d1d

    SHA512

    ae6ee4ed5916910a2a192f92716cddcfe1615da80691bb49608496037e3df264b14ff0daf0c6745ba41cb05d19d833811fd0357a0f46afbea2467ac62b078e36