Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 19:14

General

  • Target

    e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e9ce08afa289a2c8af4a638a753c6507

  • SHA1

    90bc012dfa05a751a6889d62f6ade512583bcfda

  • SHA256

    4e8eb80f86bae675ffb9249bf51adb34560917eb176558f365ed6bf178a07da1

  • SHA512

    83dff55ce1b77db6b51559a2cca8ac43126d6275dfa1b6ad69aeebc458842b633249ab1734c49e2d2ea6d7be550ddc7bc39c5b3f08f698b9c088f40aa6111a19

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYSR+7H:SnAQqMSPbcBVQej/1/R+

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3084) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2188
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2872
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    31c997c17202d1aeec62329cb90dd00d

    SHA1

    ac78f7c6f6c600f5890d7dcbf51c40b775ab4814

    SHA256

    7bc947804a598b209e546c08afa29d8e82448fdacf4c6d147ce721c7b764181c

    SHA512

    297351bf5f3f746d177c96582f1c856ed38410cdb4dd22d0cb5859d45ddfec7818d46885c12b41b9301a50c9a1d2532f5b3483a088050c0aafe96dad1d5df49f

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    8d2b38e8eeafe269d053c8fd41bd5fb3

    SHA1

    09f485dd337bc79d22c211508170f4b8fec35086

    SHA256

    47515da81eea0f2f7c0c2f54f5cab028cb00c1b3e7b7ab8333fea3e16f0de904

    SHA512

    3c97dacb8aa6d5180840a8820127a4b6d67ae5376404ed878c61c7dae27757100d3d55c226739a15b04402cf156d88ebe9406798c5f2a3d0f8e637de43c4dfc6