Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 22:29

General

  • Target

    f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f944d90ab5a048bc14ebab034d23dc7f

  • SHA1

    e75b1c7d1893e77214067c934ca1b11bde6ccd02

  • SHA256

    091cf8784c8152b9401e26d4d02418fb84626fc1a4a6542c0f954e0af8595586

  • SHA512

    05e8a23bd97c74ac6e7563b2e2dd2f367ba9fd686070c641a3e1ffe18e3b49c6ca7d0dd283348c26833ed5c93e62c439b8c18a8b7e3c13094872b8e94e55beec

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA4rHV7YoG/QCkc/balAH:+DqPoBhz1aRxcSUDk36SANYod3c/22H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3126) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2836
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2576
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    33b563d53ec86880abbbd10bbdc59108

    SHA1

    473ab4a7f01de0c8803de76f7aa9a0268c324ab2

    SHA256

    9ecd5c2255db9c62ec729b9637f9a9ad76f759b65c2f4f237ea02222a4b3c562

    SHA512

    ace31e626ee27bdd64ce3bdaa74812f5ba88feea9d52e05b429cbf152cd8d23ad258e62b23e24f6f3f48dac114cf9a15c77514456453be876ce8e33ea864050b

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e75e8b988235fb617c957ee8ce2cb3ef

    SHA1

    d20d2bfa9177287ec025e6972b3597c98cdc7b74

    SHA256

    7e2e8a0b85e7cdd73ce2a73f5480b11f37793085505f12913aef72b6c825de99

    SHA512

    1b924a62f25ce06f170c158dad80db4ea692a791be8d3c7167e7e4b9e7137455c7a912684f4282e80786e4244f940b6c420c3f75c6a508d734946a395dc79159