Overview

overview

10

Static

static

3

b08b35744e...18.dll

windows7-x64

10

b08b35744e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    b08b35744e52a38a52f0c8a8d34a003a

  • SHA1

    5cdb0d30ebe0979185e78f88c2503b8df9564a52

  • SHA256

    8244770d31ed59a1d757dde65a2bfa0cdac088e7f11d57f99100cee47aac7f46

  • SHA512

    6f7697f1ca88ed106ff8cb8961ca535894f0b9ae4b68e16390a8cb6487844d24a44898bcd62849f77785ae47175ae2e6d90bd3f40c91e32cf2c66dfbeea7398d

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59cyAVp2H:TDqPe1Cxcxk3ZAEUadYyc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3134) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2736
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2420
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    f427eb980d9d212790d2c82e2de16f04

    SHA1

    2a535ca6a301cabce28e4571f3247a307c85a85c

    SHA256

    6bdb3786bf861522359386d2cc5d017e0e06e1fe5cbd1f1be43eee24f3def897

    SHA512

    07482258f76f238dc7afe9f1f77913daf10f6f89ad5243b0e1d6751da8b857604e097effea1dcbebaca6f0028bc2edbe71bcc53787a7fc8c0a01ccbf6bc793c7

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    7888f1f4e712ba42b2c5e6f02422b7ba

    SHA1

    e71c10b85284f572620705e530b6aba644f3732d

    SHA256

    8995cf65e9f0630a66a405507271f7f42b6c1cf59b9c17e0fd6608857736cd59

    SHA512

    11373e6954032dc0b6576613368ec7ef6a26fdb8f4c73b7a5ecc15ad889ff90926c0ef1c0e89f4f3e6d400f6b2146c75f89f8715c896fe4cfc932bf8a5b30f43

    Download Submit