Overview

overview

10

Static

static

3

c4f5fee47a...18.dll

windows7-x64

10

c4f5fee47a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4f5fee47a0ff63037387e69e0d9db92_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c4f5fee47a0ff63037387e69e0d9db92

  • SHA1

    0803e235f89519d49d52b92911f7ce8194f88974

  • SHA256

    944db9261261513f9e1bd645467982449216f4c6ac946f49fac7e05ae8f615f5

  • SHA512

    fb25e43898a26c34eb13f9470447500eccd85057867661fb1ef6700e565ff2729f72b8183f6782debc3fdbb25650b385a3dbaec88be03585cb9e5af7cbf7d8ae

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAcxWa95593R8yAVp2H:+DqPe1Cxcxk3ZAfabzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3160) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f5fee47a0ff63037387e69e0d9db92_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f5fee47a0ff63037387e69e0d9db92_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2392
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2240
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    e3af0286c15d6955b3f556ed2d06b330

    SHA1

    85ea5e6a5577b7383d5bb36a09c84e5bbda8ca33

    SHA256

    ddee54d15dfdac399d397383ad2ceb1a8bab70f32785c5fb55e1c8920a608e4d

    SHA512

    e219bc7425da54c0b900fa780ec4d223154578615efb00947bea76855549cabe830bb86b9124f7a13b301e3a5fd7a0d98c04f5cac9cf151d3860b8d72f0c4608

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    4a6aca6d918ea96a19bb39f874527d8e

    SHA1

    427f809d17c4cf3f1539872b2de9a06425abf3d7

    SHA256

    5d66245a7ea7b82e9d7c1743e2668e24be02208e5dcd3eb3a77338d83516b0e3

    SHA512

    3b582e04ca04900ef3cd0df5ba4ff8049ec38b3e6719aa6bfa8ad0adfc7c0d7d5785a7a72df4d9ae8ce9846c81e8b6d3ac9595f5cd822aea2b642f133b33e651

    Download Submit