Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 12:48

General

  • Target

    fc5566ab098c75742a5b338466736767_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    fc5566ab098c75742a5b338466736767

  • SHA1

    9a3bf8693724166a7b9b03200e33bb41022defe3

  • SHA256

    e8578e18b2ad35198b4fb1a09914a41677f17071fc8fdede0474825a75f0d568

  • SHA512

    c9f5c66da366271253fde8e0c7a08dcda04302d445027e47940746fa8285dd4bc3a420842045b826ee1b71f647d84c140a70dbb921b6235b05c20bd5c0c60fac

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3216) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc5566ab098c75742a5b338466736767_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc5566ab098c75742a5b338466736767_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1700
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2848
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    4cf4687db57bb306c5a6976178703ae8

    SHA1

    b9e78db1abb86a1663742881a94098feff65c7e6

    SHA256

    5a5fd3d6ed7fd42e23f243e9ce775b43dff7161d45c451e3a4e8fe4a1057cddb

    SHA512

    108dcf22f92bf1a739ec90e328c2369eb4ee2db24dcc1fbaea588da54b24b977765398f885d4d44b62a3f920a9eb5c0f021a3e3a78544e3cf57a09ec840fac26

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e68e21d147c21fdd1c40aed741554a15

    SHA1

    15410640500f30aa74c6cf7d550d8e5f0a7fb453

    SHA256

    315cca9401898ed966dfa6c410506c2b4d0d0ebdfe2428560e9475048eac3ed3

    SHA512

    167459f45d8420c4bd481d3e3df13927cd322c22f1f1e0fbf70739ed2e9baead8fd8cb6dad9501259cee79dd0aa0ab27caf566685e3f4da02811d7b7b91a9a7a