Overview

overview

10

Static

static

3

c1b8c052a4...18.dll

windows7-x64

10

c1b8c052a4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 22:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c1b8c052a48271ebbfc3aac3be192ea6_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c1b8c052a48271ebbfc3aac3be192ea6

  • SHA1

    261d3790d8cdcc9270fd9ba59e46111337b28128

  • SHA256

    6fdcaec408326a18d6b77a9cbca46348e65f37e8d0233f42196fc1fc74b8dc5c

  • SHA512

    5c0b5780b14397006e22858ea8abf427b14e1abfc5bdbc2fcfbdabf8b39b5580f707addd4e372d6e0b7801ba9eb74e1be64b6b24f5c0ace6bce0275f19042c12

  • SSDEEP

    49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQoIAjvxJM0H9PAMEcaEau3:d8qPoBhz1aRxcSUDk3IKxWa9P593

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3099) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1b8c052a48271ebbfc3aac3be192ea6_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1b8c052a48271ebbfc3aac3be192ea6_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2240
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2176
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\mssecsvc.exe
          Filesize

          3.6MB

          MD5

          6d8d620a17a705bb33dea5ce2f92959c

          SHA1

          4653bbb39d3f662ce101dc40dd82bd423b8a430b

          SHA256

          6301eb5c7f2f26758530966fad744215b4af386f7798c6233fb638e7f2af62fe

          SHA512

          3f6f286c4ac3d9fbfb1b7b7779fea13be8c79dd8a807117e831fdae455a88987829a72692420b1fdb39f21a1c3c47c63dd128bda8fa0c82d6854e15598447b66

          Download Submit

        • C:\Windows\tasksche.exe
          Filesize

          3.4MB

          MD5

          2d274e7c5836e96a923bcdaeb7baad64

          SHA1

          ed9f2f21864f5d2d672b12390f69d3eeb88ec34e

          SHA256

          61980b1757a92c771c06426e316e3e2bb9efba2b96fcf3e6daf56948464fb96f

          SHA512

          c83e1e05dfa751b4b94ad6ed4b0eb7928e45e54e17de75c3322d9bdc184b1ae1592f50be247738f35ec10fd10710b93b83eb017cf56beb4439543207d6e90d73

          Download Submit