Overview

overview

10

Static

static

3

0fadb97588...18.dll

windows7-x64

10

0fadb97588...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    0fadb975887f58eb432387e86f0465b2

  • SHA1

    fbf5d8d2759305b15891657f6b60fd53b2d09d34

  • SHA256

    60816bcab52669039f9f35dfefaf114279832402aa81f481df7b203ac989c081

  • SHA512

    e710407fbaf5c43236113d6a764d783204c58bac764cf2b6e9b90045d23ff077b258fadbb37fec5aa040aeaa5a3ef4d17d69fe1be2c78355d10e8154652b1b64

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59UcryAVkE:+DqPe1Cxcxk3ZAEUad7yck

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3348) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2044
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2964
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    07c498015f8a58ae9fd908f0e2978ae6

    SHA1

    d6de1f561d588b030af47809e68fb5ed94abc3e2

    SHA256

    e609de4cdb55b4d289a466474d0eea0bd03ddbf0b36d81276c41c3221df7aaa6

    SHA512

    a5c5b501c09942a0dc4bbf03d3b3367a11fbb6d45e8b10e866783431a3e9fa4918481b5d983e03f2c154e2a3dfc70e348a3e4569f357611c857c81d6ed326930

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    ea86acbf644340f8f693b7303892e167

    SHA1

    2805dc547a9452f0811f7d76bd2b9b7f451368ca

    SHA256

    ece0fea375cbc8e065b12bedd8e17b04c91955037825b483e24b94cbc1ffd465

    SHA512

    6c6fbfdb4fc234031e9088e28a50e29971b85a68d852f9312ca0b792b700610290cbf887d2d717be5c689898d100e689cbabb3ae486abea6a8bdd688a8a27bf7

    Download Submit