Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 23:25

General

  • Target

    f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f954b974b717c77f377f9efe747fbac1

  • SHA1

    16db73d8089233d16c0454f7833d6345d15da871

  • SHA256

    be82a36ff7a1f80fdd04123552815fc4e4cd61b7791f42240c08976b525fa546

  • SHA512

    f715d51082c61fcc0749886cbb9afb3d635b5cb314f99b56eec1663d279c403f0d655cd985eb5799472dd2ab7276e9252751733464032a96313e9fa3f566ef61

  • SSDEEP

    98304:+DqPoBhz1ScSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Scxk3ZAEUadzR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3284) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2380
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2712
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    69762a3f6b71e9ba5afb0f7c4a162e94

    SHA1

    004a5ea2cefe96c4a4d7cb461bb225b93d82a8f3

    SHA256

    6656d1b3958a6a5b2a30abc7f43908e291e081dfa557152e0c06a04a90890eca

    SHA512

    a7a080f4aeb56d72df5d5ee81387b61133de3b9f0d1b430fd6b7e35c4f0e8c9d34138a93e1c1d665e979c6200bfef81665257855b5cb08a5164a85906d391b6b

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    4b6bc9ea17de240e52381814b492d436

    SHA1

    e625b78de22525b4913b384e6271a40342b6f394

    SHA256

    f2eaeca5d307d4265ce81a652f3c2777e49d61af9902614476b471b87c7e0f60

    SHA512

    d38c6df79a1a81a45de83e2a772fbabc06cd43ad45cc81730e888d6fa20acf959d4ac0ef8fdba4cb1fcb958ded4f9a77df76f208f2d8118b75ee00556889e2b2