Overview

overview

10

Static

static

3

c699a6766b...18.dll

windows7-x64

10

c699a6766b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c699a6766bc5a0c79b2af6c029b89618_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c699a6766bc5a0c79b2af6c029b89618

  • SHA1

    e670824bf9a744f58688bdc91fd5578d91a5f370

  • SHA256

    e79e8c14c51dc0251e22d9976e3e3bde818b6c97d7147a50ad14d305056ac8b8

  • SHA512

    ff8d3e06602345d21684b07927b09a17f5f1b6573aa42e67bc05bdccc62bf73c63f1a6d9d38da0e7fd252960228cfe223d9f0a4eaaf0ace3cd0c71406136bda9

  • SSDEEP

    49152:znAQqMSPbcBVC/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:TDqPoBA1aRxcSUDk36SAEdhvxWa9P5

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3142) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c699a6766bc5a0c79b2af6c029b89618_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c699a6766bc5a0c79b2af6c029b89618_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1368
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2636
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5cede39f2793397cf5727430afa8d8c7

    SHA1

    ae2166d3840809535f88bdd726c35263fbef20ff

    SHA256

    4c60a6581ed311c5b965ef4308f3eaa258bed6b343800b5b58eb7adedb911c2f

    SHA512

    174cd78a05cf4b00783bb1b1b3f56517a5eaa973a7fc5b7dfbb5e0f620acfe65c13ee1046ebcddf54cc6d57e7131d11d5708b03e6b8b34dc40dd008ae560b465

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    cf655d8557b03b1ae567295ad924659b

    SHA1

    92b6b8a4cdf59303b56120fbc2ec5aa1eaac34a5

    SHA256

    ba463bb27d46d0a3f688ce471814cb7af99350771ed90e38668d5eb9c2db2b33

    SHA512

    dafde0ad7597ebe3e082407a73bceb2f873821027e7bd880a632c28d1d472a1b4f872563be3d7a26393af235b381946b9f7b5b324fff8e7c51c7d2ff9ebf2a5b

    Download Submit