Overview

overview

10

Static

static

3

cab22dbf00...18.dll

windows7-x64

10

cab22dbf00...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cab22dbf00eb5c321f9ea02ae36d80f7_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    cab22dbf00eb5c321f9ea02ae36d80f7

  • SHA1

    bdab13db5b05f4333e98f0822061b73655ad77b7

  • SHA256

    68830676a0e62c23708f455b962f876b933393edb12b1ea75480814c2c3e94e5

  • SHA512

    e3e6ddc83d08b7a39861633586dbf8e051753eccfa07ec20fa49094fc2ac6be7c9a111f57fa37634c8a83181ab0d9b303ee60444074d9f64028090bbc42a9c3a

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDkzAdhvxWa9+3R8yAVp2H:+DqPe1CxcxksUaOR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3329) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cab22dbf00eb5c321f9ea02ae36d80f7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cab22dbf00eb5c321f9ea02ae36d80f7_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3896
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1252
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5ded308ea050897921f062c802a433aa

    SHA1

    f589680d165913d9d4fce691f75c866309a40e05

    SHA256

    091a3e5ca52c192aaab25d171e7781b41c3585a0f89072e7d5f4fb38d00c8971

    SHA512

    bb94e0eaa54e7ddf582149adf93b4d8b9bea87522a80c8c30fa716d84632f121d1bba18c73128331f1411262b12cb185df83e9233bdd1c5b5643bdb0b403c8f3

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    8e0e901e8469c5e5d77139d9a4c078c9

    SHA1

    90d76c4f4027622bb71543b99346e50b7b8cb32f

    SHA256

    2659916de7c67474e22d031c44b7fa30d88e7da1bf5923a2c9b2d5c0dd523b59

    SHA512

    00f1da5b21bad27a415a17a8448ef5c45ed99a9a76682c15b0ecf1f80ddaeeaf0a26eb690b3664e21103f9132813616abf313b5694274f1efaf186973cc392d8

    Download Submit