Overview

overview

10

Static

static

3

cabc41c746...18.dll

windows7-x64

10

cabc41c746...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    cabc41c7460caa08b7669c74ad91fbbc

  • SHA1

    8f915b53f3320913297e851dd908eee077ca44d3

  • SHA256

    d66516fd8cfdcb030baf16943f3115e8b4dbdc975c7900ba37ff852b03b7879d

  • SHA512

    dc2d1810aa9616ea6edb57b08db6799397564ec3de6c4fc9fb694e574135dc6f9daaf4107d0b5296ad8c2ca244991e6927141f4368dc72074d93a57e21491461

  • SSDEEP

    24576:SbLgdeQhfdmMSirYbcMNgef077nEaut/8uME7A4kqAH1pNZtA0p:SnjQqMSPbcBVPEau3R8yAH1plA

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3288) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1588
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3616
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3efd11562e83b3e75d8a4b92c12cfcd5

    SHA1

    087a594e11056572469bdf4b7ea1e72446e89c07

    SHA256

    2272c7541063f16369ac05f0e29c2a1fb484c9faf7fedb3da80193c11cdf2d48

    SHA512

    e68188b75a4a2c9c641622cb4277eb4ebc44b8837747ccebbfd15f8ec840854a46ca258d9321eaaab8a85dc140d1f1fea8bed7d23ce5bca43b4100234a1a637b

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    4a8a368a5305921722fb56265fe5286d

    SHA1

    96a8b92683177c59c70556d747aaf7e25ac203c3

    SHA256

    aec5e29a733e988cb57bf9947bb8fe43a84a56c52a7b3cd2e03920d05b6c5802

    SHA512

    42adeed02e64e01750e3b10bb16d1dbcc345f9480ff0c7df3b1174ce0487941786101826b8c504e795f4c0ec1d479be96ba39c799f6f3c1e43a070902554e4d3

    Download Submit