Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 08:41

General

  • Target

    f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f1ab4343d91972fc89d6a597b7972c14

  • SHA1

    0eac99c98689df0c6d697255666942847234d50b

  • SHA256

    f738a899a5bc57660de6acbe5120242323d88927b6314b66258058e7bbc6bd37

  • SHA512

    f66b48a39a214295aef1b0a7c49bb62f4986dfd974214623e8f410c394ba3ca36024e1b2cb370e9d8c72150b278c94d576006e3a521d881ef5794b08c2361945

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5sp2H:+DqPe1Cxcxk3ZAEUadS4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3232) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2068
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2944
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    d2ed4595df5b1f5619f90b258eb26fb4

    SHA1

    20277158ab5e88f7dacc3e5a5cb129ed60cb2156

    SHA256

    94d1f118a3fc9638e847598c6638d07bc059bacecaf6610fbdb8326e5350b907

    SHA512

    013bec709ce6edfe5ea7c28731fa57c82cae40eea6b762f6063afa14d517f6cfcfc329350e9ba7f3492f3405a727895c14c8c822d01d7b2d3ec36e7836e91b14

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    1bd09d8afb4d0c32bf8834a71d04d373

    SHA1

    21e8a2ac3d06ccfec2eae891671f2a31a58a82c8

    SHA256

    64ce6c1b7a5976832f49e15084041160ae270487695df5bbb0390323303e4ff0

    SHA512

    6c1509046a0660ba8c74e0ea73a9803f3787d0813c2e40140c1c9d524f6bb9822922435731f4804ba4dc7a346b8de8a1bce66b0a4879c8d4b9cd2297d8cabf01