Overview

overview

10

Static

static

3

6fafd1f7b3...18.dll

windows7-x64

10

6fafd1f7b3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    6fafd1f7b3289ede91714a119c02a386

  • SHA1

    61adc5243ac6caa38c7f440128dbc79cff910124

  • SHA256

    4480e10e9512610c2f107b6ec9b2eca9942cf2bc65548ae35d6b015573359093

  • SHA512

    f21dc56ee45775fd0de36cfd668a8d70093106834c182b260479941f34ca944ddd8477f85fe8f4f8f740d4fb2960e884544c49d498843fd539d40a22bc039616

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp28:TDqPe1Cxcxk3ZAEUadzR8yc48

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3192) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1684
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1956
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    136e5884c73567c49695336e3ceb544d

    SHA1

    f0fc9616a21407a8de6bb97de0674017900b7852

    SHA256

    08637c6f888ec702cab6e4b64c57dc8c56106984ae78df70c22847c9541f05b6

    SHA512

    00400859e00a6d86930982bf89f2b5243865c005712a718483e7cfda7dfb8cf0ffdc0366172542517143a8ee26f6e7972d52e90d5a81797f6914dc82a1b0472f

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    17b602dc41383bd5798a147865141803

    SHA1

    eec93c6381bb53ad42129b303c2ab28003ec0df4

    SHA256

    6420258d2431ef363eff16c6eff8557263c0e11a3a80f416655174bd51ab27b5

    SHA512

    947c1e0e98dd1ccc8995543e1178787b09feb1e13ff067e6caa60327224e6674c778bec0049599106724a14e9d3ae25a774a29e1823ccf81285c7191400f0873

    Download Submit