Overview

overview

10

Static

static

3

c1945178e3...18.dll

windows7-x64

10

c1945178e3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1945178e35e4bc7a1aac3a0cb7634df_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c1945178e35e4bc7a1aac3a0cb7634df

  • SHA1

    d6fb75c003b6c2b088f33fa3a3a96f89a0ccd9ea

  • SHA256

    08c5cb91cd4f866696e9631646cb4697fcc21503190f45e7ca94db797cdb3ebc

  • SHA512

    9288034635cd41fda2d9a5028631932962f1853cf023286afc1a0f0ec711ece81aa9a14a49545449c6873902aedec96cb4c3fc599809b2f8b8443b5b0523169d

  • SSDEEP

    98304:+DqPoBWxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPFxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3258) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1945178e35e4bc7a1aac3a0cb7634df_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1945178e35e4bc7a1aac3a0cb7634df_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2140
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2056
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    ba55c2b44605ce1d42f3ea18a257324b

    SHA1

    14cd995071cc16ac49ec8b622751f81b9a2e0e8b

    SHA256

    600b4b3f0e21e2a07b65699e5c3a4b26bd98935ade413555724b7c993b1629c1

    SHA512

    49ea5d61069d3a388901481482acdde9a0c70c81121a9f4546f89252d3cf688774a40cc36d5441fdfe13898429c4c75675b6cfaf7018c66b8f1b25ca2fa38ae5

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e0b24e759e673c10ee9d3f8ebc51a8cb

    SHA1

    9fe8138b6969c5ef2dfc8758dfacac1c77a27ac3

    SHA256

    8aee00fd4123d23e502ce791506c5bb8f4ddeef21ff9d1e848127fa9ed1fd366

    SHA512

    d937d1fb5a6a261f3a4d550c8d29e233a8f2c092dce785011b07cf7b837ec7f7891f7e56eaf47a9c61668548ad443d7ecfba3b69a284759639296d81cc1d9710

    Download Submit