Overview

overview

10

Static

static

3

8ccf718645...18.dll

windows7-x64

10

8ccf718645...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8ccf7186457ef4c6b372d6054d689cc8

  • SHA1

    792b666fa116514853768e023f0b7c91192e3c84

  • SHA256

    8586e3c76dfc9508e5f673b60c4074bc350975818bfc4341f52d3d2e21c9df37

  • SHA512

    592f5ecacdec4dc95d1fe920399d583bbef60a16251d03bea338f607906baaad340891d41f1d3485487e0434079e017cda2741c64a01d3f6e6e8ce07666459b3

  • SSDEEP

    49152:SnAQqMSPbcBVAx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBKxcSUDk36SAEdhvxWa9

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3252) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2404
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2708
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    01196b7babbd92db305bf7c1643c9dfa

    SHA1

    e46de9f00c5226e0a6607a66cb7d0efa8c8c7ce9

    SHA256

    6ce5bb76a661cac4696de397d4d2ddefd4e4bb1ac991b78dd1006e5e636a44ee

    SHA512

    5939693ff2de7c2a5539e78db9a3533dedcc54b93cf1279792359520ffb5133a3f39ac07a732a4b9bcb5038b0fa22f41ce803a627d3da46acf20cfbdde1c99ee

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    1e3436bc7ad4399c8819a010c8cef49f

    SHA1

    7b013c417faa3251e66d050cd5e304fd4c5fa712

    SHA256

    5cbe015349c04206635fdbecabfe7a6b027142f22dcfe2e01ae299e2c2181389

    SHA512

    b4a673b791a5668802cb817196e4018858b89da3305be6546e33b3fa805c20aff487536345b89987cc800a6f11f6b29376e56ae9b818ded64948ea2222731b99

    Download Submit