Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 18:51

General

  • Target

    ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ebfb728ffde51b0e9a3d38405074679a

  • SHA1

    1e2c51318de80dd2cbb8bcc3f0fa22417d9a2bd1

  • SHA256

    9f8f4ebbd390496cd0e5e3a6a7d2463aee01ea04f7bfb5b21c71b3d4e046215c

  • SHA512

    38026242a37d7deecb2d71a32b0989cbd26718e244630bcd6a6b6939ed3848784949846a6c6ecd5ad8c6c6345099ce43c285fc3c3f91ae8fe64e85c96eea3db6

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWao8yAVp2H:+DqPe1Cxcxk3ZAEUao8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3103) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2084
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2708
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    cdf9c25e9f9c243dd20a8c826085cdbb

    SHA1

    40d6aebc5bbac4ac516dff1a9fdd28ea269d48bf

    SHA256

    90ce98041b8f81d2b8621366b989a4abbfde8b0cad3ff920a69d05e5ea679761

    SHA512

    3297995a94453f864c15c49ba5695390efae60013769429b7d49e23b20f48f9a54dbdaf6ce603e7e58b279c99b236b1c52303f87cfb18d2530ddf9c113a6cab7

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    cdb0ff22ab61c1d2e5d84c6c2ee01588

    SHA1

    847109df9dd940d1b49359f3165858c1b7ba5ea3

    SHA256

    9a4099a2b821109f1a24fb54eb4851a7bdbaa5d95085ac41db79d5ee8a844f70

    SHA512

    9eb2f265aee595c839208c9681657d31543a7ae555b3693fd6b67b5879d01b4dbf756fba54a27454574d77cbddf3b0610e1c6fb498de8d137636b7ec490c0067