Overview

overview

10

Static

static

3

c974b00c7d...18.dll

windows7-x64

10

c974b00c7d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c974b00c7df1cd75b4112d79ac9fa6a0_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c974b00c7df1cd75b4112d79ac9fa6a0

  • SHA1

    32a2087ef990a97dd9a411928e3aacb67292f7d6

  • SHA256

    51f8d763eb146e8c5c4d8732bee44a11474905b3f8fdc91cdd6008a6ac0f9c34

  • SHA512

    44d2da65c1eebeab7f22bf2fcab2268de3486be1bda1ff9786dd20f2ada87e261934a2e5ee96aab50a9cec880f430374b5cbf65a83cf827eac049e4444adc7f2

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIUt/8uME71NZtA0p+9XEk:SnAQqMSPbcBVQej/F3RhlAH

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3283) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c974b00c7df1cd75b4112d79ac9fa6a0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c974b00c7df1cd75b4112d79ac9fa6a0_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2688
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2760
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4b56b21d520882c85c0eb89a6515f717

    SHA1

    0a57508469b6ec29359df0a913c45af010ac5840

    SHA256

    866ea036cd3a77603eb7f6c4c0ab832a3c08de38c84b1e9e9add1f2d34e49282

    SHA512

    7a7192a60e12b370251e79c4c1358c90534ccb960fc0e5d8cb509f796014c38756d336f058e1c8585ea01fdc40046ddb877e142ad904fcae7d9474a2c5300be7

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    75c19ae4d1f8344b309ddf2cde681e8d

    SHA1

    1f33905ecd95d08ea5803d941841ba2783828f7d

    SHA256

    127a2f2068a0c99425b4297e11aa07f267f86b89b424f7647d10727521120d58

    SHA512

    c45679c55a41d0f9b6bbe15d719c706789147e848c3005104a078b839cff71f715d2dd8e7ce093148a7ab90ec08d8116e7d02d0984852c6236b3885418528b72

    Download Submit