Overview

overview

10

Static

static

3

8ea9c56fc1...18.dll

windows7-x64

10

8ea9c56fc1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8ea9c56fc1c2348f6ff9831f37380406

  • SHA1

    9a31c5ecf6a4f64abc680fad4956214f7dd381e2

  • SHA256

    a9285fddf84f903605af63605d7369a10a52b5a16acde39899425dea363d06ca

  • SHA512

    dc064ce61374b8787998ce7711b57238c4674a5b32ba41f8844cd5718ae985e65483e999ce72c3ec551f27d6954cbd0628ccad350041664458ca47e7009ea850

  • SSDEEP

    98304:d8qPoBhz1aRxcSUDk36SApxWa9P593R8yAVp2H:d8qPe1Cxcxk3ZAiadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3333) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ea9c56fc1c2348f6ff9831f37380406_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1148
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1320
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    7c71e533c99b2e86cd64d9b83eff0920

    SHA1

    4cf0e22139c1915e727bcac7a996bf3c42fd0efa

    SHA256

    346dcd106db702e2cb861c2329bf9c2b8ee51b5149d24fae9c9b42346f036535

    SHA512

    ff3ef163c7cba43d6d676c28b0c4187aba43466b722310f129525f83136bb3d7982f5a06c851db278d5cd587a8723e1e0a2ba6294126b368268af7ee1e4c2cc5

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    b748aa373ead11c501dbf06b7a7aa60e

    SHA1

    d322bb4c10d52d9b37b69f1fa1b49e0aca5183c1

    SHA256

    b3d715b1f5dc5aa862c14a6f41a24dd8c4d900370c6ac1a480f9219c490c7e90

    SHA512

    6fc0b518237d26cf8252ee2056c44875593a0ffa6a5fe2d5a81c5676176d9d3075c8039edfda9093fcdb9eaf51e6882015ca8285f6a0921913a0a730cab3d937

    Download Submit