Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 15:58

General

  • Target

    f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f65b4cc9a87df1dd14918f8d295af7ea

  • SHA1

    397e761ab1ae29c593b88199150d38e7bd7e5782

  • SHA256

    0a547edd3c73c87c7796377bee53ed0024edb35a9c9c1e4a62735909643a4ca2

  • SHA512

    7ee60ab115c68fa1a37b4cd5c74d4d8f852d17d8dca13e66af615a96303f6fb3e4a6399db14c28acda6eccd71b0c7d039e399126cf2d171b2361751a4f658828

  • SSDEEP

    98304:d8qPonhz1aRxcSUDkuxWa9P593R8yAVp2H:d8qPM1CxcxkhadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3300) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f65b4cc9a87df1dd14918f8d295af7ea_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2412
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3064
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    bf914d1d0fb0f1dfd5fbb11ad151635e

    SHA1

    3eee822a80e45b5e5213ab76e4352c68d8d4f452

    SHA256

    684776549b3dee267f9de4e6dff872db586b7bf598fb0a12ec8502f27a8f585f

    SHA512

    0bac688199ec50ef9fea640778a2dbbb50f6cab3fcd221fcbc9eb51a8d0b9ae211f94580238abb466c1cf8850edec051d627503e2735625df740754b0e53007e

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    fd8c1e7fd01012f3af5fe6b77066a95f

    SHA1

    ef75e7626e63144fbdcd2e475362bfd8fc323598

    SHA256

    bf2ed6dd2a7bb1ea1c9acf3f0ca2f32ba41e5083d6af10140259f0b439bf2ec3

    SHA512

    29f0bb27a1e51dec26df80c5433d5bbffe8f9391ea7ca15df4de747b3341403f3fd43f438bc13f4b103adfd12232428069040d5eb39ed099714b8a5fa720f534