Overview

overview

10

Static

static

3

89df464319...18.dll

windows7-x64

10

89df464319...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    89df4643198d4fa26bc265704470ad11

  • SHA1

    8c14cf6b4ff40cb0404c09a4e6b856af5d7656e7

  • SHA256

    3fd647e0636cdc6559584720480f65a80d7c39f19f5da79fde445f98a0f483f3

  • SHA512

    20e9e9dffd7dcfd4f1918395c066d59bbe7a1f1f184ece336f5e69e9394112efe4ea7b2e4bf7d058cc297fc69121000419493790f7a4fff02fe209e77eb9e699

  • SSDEEP

    98304:+DqPoBhz1aRxcSUMk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcuk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3364) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2808
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1484
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    2ae7812eeea8e7d78de19924987e7970

    SHA1

    1898e5365ad20665d6b37408d6f8b83b94116d18

    SHA256

    1297c4970cdf137b1e1e75c11d61dd0c61e1406441763e665174fde3b69fb392

    SHA512

    64db4d6ea68a113d6b3adc236c931b342c8f771bf5ce450142acfd06d2dcb23821163edfa563ac73418313cfd394b9015300689dbde6acba48d85c178e5f608e

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    34a717258b0ecd1174eb6ad3af5881bc

    SHA1

    d0a985b4279355786233ea0205e19fa40166f03e

    SHA256

    f53b64116917aaf5eb1e2e5af64511816d618d4a56e199214a66bd988651a73e

    SHA512

    2b017bb62dfafe0fe60bab03fcc0ca84199e77b947872460d34a351fdc183e817f1d12d491ef6f3188a99ff748d3f846fea00597332b8bd0a11961849b0aa20d

    Download Submit