Overview

overview

10

Static

static

3

caac065b20...18.dll

windows7-x64

10

caac065b20...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caac065b2034b4bcecfdfebb6280b749_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    caac065b2034b4bcecfdfebb6280b749

  • SHA1

    f80d8648c5229a135bc4e1c6ef89c793510663f1

  • SHA256

    bdeae3c6294bd25dbc5b5f2788548634346af58e55722bb04db997e5ad056bd8

  • SHA512

    1c687bd44618f201fb18e1571695052eef806eb252a63dfd7228c672d996b99aa35b3036530f7432555c0f48a0923c78522c1fd4478d5ce21c933898e1407b2a

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626lX6SASk+RdhAlO6b:SnAQqMSPbcBVQej/1INRM6SAARdhc

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3332) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\caac065b2034b4bcecfdfebb6280b749_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\caac065b2034b4bcecfdfebb6280b749_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1560
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4948
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    eaed8d1bb2de1ce03b6b7269627285e6

    SHA1

    6d4a62ab6295c889e21b71fd94e0cc710f09b0fc

    SHA256

    13c3ae01b1170870fe615c81b7933eddb2a8b281aaee02edcce6aa65e0daf4e1

    SHA512

    f83abf4dee4f5bf26a9b39db91028426bb165ed733f4d0fd303e122c24a5c8af865310c515069becc8bcaca996ad525f402c2088109d928a859d41556e80edbc

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    141bb1a0ef73a2e7d1af1d8c077e4253

    SHA1

    26d34abdd79bc22f6b36d5de4638256296553e4f

    SHA256

    6ac581fa78af25515b9e1e02f0f6fc4761116e1ac19288e345be4578f2e72efd

    SHA512

    e54ef20f4027798e8f2d27f02b0bc542ab86e4fa6bbbb095e43c7743441699600bd1804d1472d01abf5d890fbbfe6ed224ec8856c003df4ccf7f4b32c232fc4b

    Download Submit