Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 08:50

General

  • Target

    fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    fa17aae4f396459b7d591759d7aaf033

  • SHA1

    dffab299632a5623bb931eff5bfc23c25d4fcbea

  • SHA256

    27f7b4b45546af6c1b3fc3edf05bfe824b907b8a09751ede40d364790f87dabf

  • SHA512

    f888cb03d586b8521211f3210ff4b4daba54d8bebb29eb87a82c479306f9838ff1ec75e5e2f78d914c6606793d93da26feb8203c9b50b3af29d94c8253fb92d2

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3263) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2544
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2320
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    8b94c01d4ed92cddd2a98dca4d3cd83b

    SHA1

    fb2f71a3bca69a080e7d2497abed2c8285ec0f2f

    SHA256

    699fe9cfc6657e23448ffb95e785069371d748baed406e449c4cf6d5ff710aea

    SHA512

    af752a347c707272069391133a39a1174b768d5c9505fa5ccc4216e728f0f9da9ce8536cbfc8f5f037d35afe571dd6deaf47daf22c27d0f8f1b7a9ce8399eb9d

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    5782c5c239f03decfc8914a49d1a8e6e

    SHA1

    d9b7bc94d39da13d77a61faf0d51eb73e3bfafc2

    SHA256

    eeb6e79c4331d8595a5a030631d817d7ee83b8a21e091e210fadc96df9b53734

    SHA512

    89814c9ff80b751198a1ba1a835e08a46481a654ab2cd1fa354811a5536c7dc24db68ad1012d4f655119d345c5f92140c5d40f378232bb94e4bc3ac40ba99125