Overview

overview

10

Static

static

3

92a5bf01f9...18.dll

windows7-x64

10

92a5bf01f9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    92a5bf01f9a7c4558ac9b24cfa85f29c

  • SHA1

    d516f680006e70f80b5674f93d63ae1b80e6e6f5

  • SHA256

    a2a8729f73ab7fef657cd15316818606548f802903589df70dafd405f15d7b5e

  • SHA512

    c05b2e68debf06f531f3889904a982a6dc29c39a2223cb83a45597597220a1f7a07d4d464e9f0e0995d87c3c7e4c3760e515f84cb4af425e6b928c504af18921

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo4R8:TDqPoBhz1aRxcSUDk34R8

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3158) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2032
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2624
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39defd2d02a0e1d9e961738e65c02696

    SHA1

    b1e9e93ce978ed77952a13248ecaf10e147f4f77

    SHA256

    2fb740f05a5efa0e1d4449456a96e81d4818f812ae06d6ce58e6fb83b1aaa26f

    SHA512

    fe955354b4bf51731306299f6f00e7d6f385acd8189e5e2103d8bd1e2ba4e8ac6a03845bcf8c33793cc5e752afe5d539037ca19746376a2d1b8002a4a414d254

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    09df6f00ae6b3e8d064f249aa0927967

    SHA1

    c90a841db653b784e2165e05816ecdde78b7ecf2

    SHA256

    5fe3d02dcde78bd9aa552217ebfdb6c386ef1342d004b920dded41773878269c

    SHA512

    1a224329ac8682e6e1a5aa432742e8095a9ead4e89f1e6b54001807ac2543656920bfae8fa592f0bd2fdbf1c8290f4d07458c42234e755d94703f69121dd9476

    Download Submit