Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 07:06

General

  • Target

    ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ead11c271da8a54ab83e16665b415bda

  • SHA1

    2f1a579915708ad4cc553c9277bf5e8b2b7ff674

  • SHA256

    d94e28b4bd152879ab2d530b7c796054e36176b29b45a4a3375171f8a06acd40

  • SHA512

    159f8ac623ba313e4468dd963c9c96f21f0f9193563e666532d742cd576c2ab78aaaed469bc75fe2b009735a87f19ed5b85fb8ab33ff02505515c3028d325dbf

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:+DqPoBhz1aRxcSUDk36S

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3332) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2336
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2780
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    f3d461244caa4fa99eddb1bcd8f8e5f6

    SHA1

    a14aa0617df55e5ea36a377bfe1b1683f322b2ca

    SHA256

    dadfa38538399402b9ad74be92ba2d63420a38ef565831e7828fc12ec5f13a8e

    SHA512

    f2a632840c35e098cec82e61bbb79e07b9b278677b99c0a98cc1f32777948923475389b0bee4f1e5fb4c54f32f39f83b1e03ba7f8aa130b7d77612008bd8901b

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    117c8579fbf9d712a4b883adecb0be5e

    SHA1

    c37f9b721b804a7b13898888b635f97910401369

    SHA256

    5faac8ff2211687c3d4e25d17393a308b1f720e6fa4763083de88411f83016d6

    SHA512

    0b404ecc4eedce02c6a982d3324ece4ac995bbdd4ca4b2557999ab6e43d66591228e3d18e1cd5735f48f429ab6a85715ec1f866a471e3b766d3cf794a2b5c600