Overview

overview

10

Static

static

3

77adef81b9...18.dll

windows7-x64

10

77adef81b9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77adef81b91f5f3a660e5e4ad78db29b_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    77adef81b91f5f3a660e5e4ad78db29b

  • SHA1

    4cf6f088fa42c825193eab2987d6252ac9fd0e69

  • SHA256

    f9c019ff5ea8cc534b8d9500e75bfd4e05f477222bbf2e7ece8b8ff24c4a4870

  • SHA512

    d5d4a66ba8d2bbe3ae0d4297ebbf8d98ee89a12ce1082da964cbf36eced56ff269c5c2c832bac04ef645d39abee63f68289ed3f0ac534e2da8ea9e4820989d8c

  • SSDEEP

    98304:+DqPoBhz1aRlSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Clxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3231) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\77adef81b91f5f3a660e5e4ad78db29b_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\77adef81b91f5f3a660e5e4ad78db29b_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2180
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2624
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    ffe4f9452ccc8a14ea59e67286d32e45

    SHA1

    3338ba18e939fcc070203d92587cd4712abac1b4

    SHA256

    53757ebf3600724db8187cbb4ec0d1a92c03f95d774d1d3d0fb249fdae664034

    SHA512

    6d4296c890dfce14b39a0e77252aa43bb3da5df04cf6771ca4f342a2ab018aa54c6843d5398b4403f74bd837ea26260ccccc85a813cf496c5b5ca45b106c9d14

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e89700b6f79644dd0305ab5d062303e6

    SHA1

    117e3dfc5cf32cde6259a80c020e221fa46d867c

    SHA256

    7266f885014af6e279bf8c7f27896497e6e3ca8fcdd77e414ecf7b27b325ae04

    SHA512

    5a2241ba77e4313e64cc76a2ff18e2e369748a659a5a5f0a50a3eb8b57b8cf892c859882622eec75e9a2aed0fcddc2b83656b126a300bdd9f7c0c96de2a3c784

    Download Submit