Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 00:26

General

  • Target

    f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    f728d59f6ea4c18725fe8b6c86079117

  • SHA1

    44e3d94333568875d943bc81827768fc7fc6714f

  • SHA256

    faaaf99bc4bfc548a0c429a49cd2b703ab4c41a7ffd2ea1b199cbdb02b5dda2c

  • SHA512

    964d7fe8cf504c9c4904fc31e1deb1ee63faf61315c4fd79e52970b5500a4e048a3989adfd7bd00c5e2ada4199105a0c5a09cf70e3a5cae83a0fe1f74dc12e18

  • SSDEEP

    49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA4R8yAH1plAH:d8qPoBhz1aRxcSUDk36SAlR8yAVp2H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3253) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f728d59f6ea4c18725fe8b6c86079117_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1300
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:656
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    145e6161704c8316fe637e77960f55d8

    SHA1

    e8128750c14959e88d8d28f39a4a1f29c4c53560

    SHA256

    f73851e14b6201c691eb975690ae8f8f6bfe89ee7978a8e983e99dde3d8d49ee

    SHA512

    937d3601be8a08d54e19370dc4d83abeaf2e4f380d98c83e7b5446f47c280015161889ad3cb14eca938ebd7e3c2208a17655aad31c7dcb514dae23b6c9518d7f

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    cb1e144fb761e259b4a79d9bd500d6eb

    SHA1

    583674dc4ae9a1b366ee664494b1d492326bf4e2

    SHA256

    f002168d4838a8163d9da4b81b3040c726a94ea2c525968b720f77b7088c249b

    SHA512

    63dec5283b59602f17791ad63b0cda12fcb81d748d00067288a09e5321054963f38fcd6e4c6c88de67f4975aab77bb72e052f01bf6deb318f2887206188dce5e