Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 23:18

General

  • Target

    f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f70dc6617585a6cdb57999cfc7e35983

  • SHA1

    fc392f28ffbf4adee56869067d25d8a7d33f3d1d

  • SHA256

    242743baf453444c89c5c31203de59b2d6af0a4fa9bd7e7de9b7b52c6414376e

  • SHA512

    1b904c5fd57e9a8e9de4034f4b9f9200addf9222bb258802f8eb915dca4312d78a490446d27ff0b78dd12f95379b9b15d9138f2fbb124312410e8e9bcbba30df

  • SSDEEP

    49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:d8qPoBhz1aRxcSUDk36S

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3255) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f70dc6617585a6cdb57999cfc7e35983_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4072
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:968
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    902499be1f74facf8df615deea83bd63

    SHA1

    5ee5d0c7bdbf779838b3228267228de3c45bec4d

    SHA256

    3c75131419934c7b16f9721abdef7a5cd57cd20cea4757be3724b36c84380cf2

    SHA512

    fef964c845505b1695aab6b7e983a962206e1e95d5ae30556cdf67fdffd8f5c01696672429859aff5612299a7f69803b531591427f507bec819e8442d134332f

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    db73e31441cfcb4e3df4f90abf93be58

    SHA1

    cec5b1d186ac29e9de354232e7ced75cfaa7dbcc

    SHA256

    ec7921ced5b4b6e1a2466938f5bbbcb37bdbe3e18231bfe474829619427a46a2

    SHA512

    9469b87f95b82afc2b17843cc120585dd4e915bb560fa69e40a54cb752392a339181bfa6923783c63e418ffcef6ed661ff7fc7689828a13732a540c788642861