Overview

overview

10

Static

static

3

29057932b6...18.dll

windows7-x64

10

29057932b6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    29057932b62403215de35c9f21e2d38c

  • SHA1

    91eb61a16d478c2c34948f38534447e3560da641

  • SHA256

    dfc39b466ba47e71bfce125f8dc481deb8150c7c4737a118b770daf1b96989cc

  • SHA512

    5b9a794c3bd9d49fb1ad7cf224bab8d6a304bbca38ead96225489f736d923c901ff676d61e6181a17dceb40490167d2027f6f6ac10a4e670b10126738132c877

  • SSDEEP

    98304:+DqPoBo1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqP71Cxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3199) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1456
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2868
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d8505ac58bfb183a53c9ac2d725adf2c

    SHA1

    7697211ba54352da68f565ff60388ee736d7af69

    SHA256

    d8484ce6c9eaeec30b418510c4164e2cc0d3267d6d77a9ad230a4d8967f2874d

    SHA512

    f1f2d6ac6be63ede1c1a69d2b5595cf3f1478a187f8970e4a1af22e58ec0f960afcaaa108b4a442a993f6208e13aaa8ca84067dd0ef6da019f30907b8d7b2537

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    ff98c901e8a3045fb0156f3d96238800

    SHA1

    789c069386dc4c518bf5c40195984de87fe0249d

    SHA256

    b4f0af49272bd9b25e2538df4c9dd4613e54381cb73677b22bed1fca8afcb9e4

    SHA512

    d656e786f718e25a1a39fd78ad09b51236a2ea80daa458ca25e50bd5bb58742fcd1405e1e520143267deee6625a551e77a4f538a509500d18fcd1401c95100bd

    Download Submit