Overview

overview

10

Static

static

3

ca4e12b68d...18.dll

windows7-x64

10

ca4e12b68d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ca4e12b68dcf1742b830a14c6efb064e

  • SHA1

    f2f6e4aa658fd0636911f3f9c1e5a08b80db2c02

  • SHA256

    d9396dd0ff51e3c0ffd34e98623a9057941ff7c0eaf9cb883127cabaa23222d8

  • SHA512

    20c405022a1bcabdff6a18be5f942bcbe17b051b6755bf0e45b9969c5ac5b372d6504c9299e38e84b7787f8aa3f7df175604e422559300f7176d3d4bd879de29

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAF593R8yAVp2H:TDqPe1Cxcxk3ZAFzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3206) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2408
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3040
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    ed009d019bc92dbe9d148907dda195bd

    SHA1

    7a5bc7ed6b9b0cce6b46635cbab86ba582746d85

    SHA256

    b1aa44f219b327805b4cd3f9695f92812e78334393aa544cfb45b36bc2b337ea

    SHA512

    adbfc2a8055aaa63ed6a29f9427127ed8e434e2a5978943c2546424c9dc47985ac886ae95cdbd42a01e2f7a47098a55ba3cf3e2fda9561d37ef5855fa69e47fc

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    a7b39294f1ef85fb55996c355fcdc622

    SHA1

    aaf9eca8d73e64acae99b43397656762e7ef87b5

    SHA256

    74d84e873dcf8f3ce83ab24fd2622881e7f2c0d8ac988c4d804c36554aa54c0c

    SHA512

    2ddbc8504787c4069693a3ce3470dd4a14d246da4f98e0f1e4522fa02529b18b77c6fc46e618d10cb6cdfeaf211f966e694ca09c86459dcbfbf7b065e7a892ae

    Download Submit