Overview

overview

10

Static

static

3

c8f70ac7e9...18.dll

windows7-x64

10

c8f70ac7e9...18.dll

windows10-2004-x64

10

Resubmissions

29-08-2024 14:14

240829-rj9j6sxgjq 10

29-08-2024 14:14

240829-rj1bhaxfrn 10

29-08-2024 14:02

240829-rb9j7svgkg 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8f70ac7e9954b061f38978bac453fdc_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c8f70ac7e9954b061f38978bac453fdc

  • SHA1

    608a4b167b7a4f5812decb0330959b2e4a825afb

  • SHA256

    7dff4036c0f6b9c18d53d8d64a42a9bbee68cf8d2a88a79005759ea5b0b9f2d7

  • SHA512

    e3fd00eb7db991eec1bcf6364520a34dd480059d9103bb7af78ab881b3adefb7ab1fc8f305a65e9ecc79df5a74ba31b46cc204d3f05df3e31160f0fbaec4587e

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593eAVp2H:TDqPe1Cxcxk3ZAEUadzec4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3204) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c8f70ac7e9954b061f38978bac453fdc_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c8f70ac7e9954b061f38978bac453fdc_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2584
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2668
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    873db523cf1a5c46201f70fa8d06477c

    SHA1

    27275b9858ecf9dcf7237a5f759b6c063d84d8c0

    SHA256

    46a7188e237cc7e06842567b30a21336f88140c8f6259d8b9bb0482644335932

    SHA512

    a17026a78f8d3390fa3b4dac2280ed27c3e504f9260da263c63aeaee8e60a9ed9f0b917e62a17ace38df828bd981c1f0f71582f0e85a2fef73bc7285505544fe

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    d7a781aa1f9da5d30708526320eba21b

    SHA1

    951a80a582b3a13286643bc8228dc3e2506a9b92

    SHA256

    d8cdfa66dfe433268ce31463dc1736ea21bbae75f21c0daf07febe16618d304a

    SHA512

    afa75828bcdf96b6530ee6ae391b5900851d8d9e3929add2e252363bf923b39d127fb71ffa27f13f4ebece4aeff027a46b3777dae805caf94e73b02c73b9e711

    Download Submit