Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 09:25

General

  • Target

    eb08ff16021264b1f8c41c89eee6bb78_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    eb08ff16021264b1f8c41c89eee6bb78

  • SHA1

    11f24fe58456ecb5323bbb4bda5e89e26bdea97e

  • SHA256

    f93847ed23c62e63f543e7be36431978e336314d70108daf22ebe797bcac70eb

  • SHA512

    abc5d09c52b4f7dabd5adad85254d97c01b532d75c1e3ebff2177e36a6f3662250d2513e5a2c2b8acca40554a2bcbc6bc1cda51a47ab3f70b1e8ad44f652219b

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3264) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb08ff16021264b1f8c41c89eee6bb78_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb08ff16021264b1f8c41c89eee6bb78_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2108
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2740
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    66362da2c2b3ec4bb3613fd1b26f3fbd

    SHA1

    56449dea63b6920c4e69680ce27025d4e9eb671d

    SHA256

    14b519fd13760b58c720dc1796c064d7eff91c9eae58cdd16da0704f08264659

    SHA512

    88cab5344bed28092f04707afd481973f8f373da863edc58831cdf654f0ed5e96a00e53bbc9fe1679475c2f7c201a2cce65eb128c9fb6b0d6d9995a217d5b2fa

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    03f336657335fc71aef9178b8c1e169c

    SHA1

    5ac86adb9adab2c04d7153227dcd0f0b193885e9

    SHA256

    b7deccfe8c66af80237eeb38ff0f204b254adfa034614ea4514e8e2ada61a603

    SHA512

    ffa14dede8c278a8189ff99251e29ec29064ee0ef7d3eaa3cda0350ddc805207feca424deeca5c8354a35aa06728d67aa03f799833284e98d7e746b390bde63d