Overview

overview

10

Static

static

3

0f31bd63c8...18.dll

windows7-x64

10

0f31bd63c8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    0f31bd63c85f42b46f8b5c07f02147b0

  • SHA1

    7e7d97b8aa93efeddce129b890ec1ca14eb88c02

  • SHA256

    b7c7599d6304eaeb6a334de838938a36e4e306c0fd2562c64c9f9548a5c57c7c

  • SHA512

    ea7abcf150c572a3e0a0e45b731556e9875c68e8ea9fadd3ae49fcde221a45503516c6ae414ac5fb4a4e8c69ef4b6cee74be698d29f3821c264442dcaf3bfe76

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef09G/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmiHkQgz:SnAQqMSPbcBVU/1INRx+TSqTdX1HkQ

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3275) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2680
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2632
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    8ea49a89d13b3382364cce359e44ac57

    SHA1

    6b79006e42806135603a7cb14b962ceaae2990ae

    SHA256

    ae9dbdddfaca00ecacd763f9ecd891d7d54d2ddabb47f96eb1428621dfe1221c

    SHA512

    ed7d43cbae9c5e29dedab993bff0321bc1bb1589dbd8b3574824ab250ce658a24f8ed32c9db91a97ce420b86001b14d3237f78411d337390a283c3a435fba184

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    022dd9f14f6bc11a6908e0fc5f69b04c

    SHA1

    e3e5929ea51b65a399107e0112aea04e99a46bc4

    SHA256

    d74ed543d3d9ad16a9a004b66419922eb76d71fc8b6938cfaf362a8e669f9e1d

    SHA512

    e73ab5ab989af7f776adb1a6add787e2ebacfee724d5b45a7a1eaa64c2f0cde262226b1c9aefacde8698a5f5ac24db4a7d345e97cc4f560cd2575eeb67fe393c

    Download Submit