Overview

overview

10

Static

static

3

ce494e90f5...18.dll

windows7-x64

10

ce494e90f5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce494e90f5ba942a3f1c0fe557e598bf_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ce494e90f5ba942a3f1c0fe557e598bf

  • SHA1

    f9b816aa2e019d192de555ed7fe0fd9aba1d4f68

  • SHA256

    9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488

  • SHA512

    6212b2f7e188048dd83d58db5b42b6cfad34b41f223c94d4996a6402d827bdcb2ff41b8d92992cc399b8582c3f9862e93f7a47409c7edacfb43c1556d57995e1

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59Uc/J:+DqPe1Cxcxk3ZAEUadv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3284) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce494e90f5ba942a3f1c0fe557e598bf_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce494e90f5ba942a3f1c0fe557e598bf_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1088
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2160
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3d3b7e106612cc5086ef3e8aff697829

    SHA1

    b25e174d297361d98dc6d9248c1a858346135648

    SHA256

    d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a

    SHA512

    2df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    72a0273e5bdad2089ab90020265fcbce

    SHA1

    4a64856c9b86cc9f74fc6e74524d3cb09c3668a4

    SHA256

    45dc98a814d1bfd4ba7790b607da53678df7c99e3e1747f7ad4f56899e3805e4

    SHA512

    e02a324565dee584ba64e47936c5ab6a70d0c00e69e9767bf82d8c8195771a8270699f72ad0d64a490d22b0be32b54ce04c3df973baa8e8b65434781e848eb02

    Download Submit