Overview

overview

10

Static

static

3

d84b4ffd93...18.dll

windows7-x64

10

d84b4ffd93...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d84b4ffd93cd5a2b5581a7d06965db3c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    d84b4ffd93cd5a2b5581a7d06965db3c

  • SHA1

    4864f857649abea6352752d9ffd2e966e41cae2e

  • SHA256

    11b03cfbbd729b24efca4977e03cc469079265ebdfd2811cc8626fd85c6a7ec5

  • SHA512

    fa8c6da6315b4b0d3a20fabc34d992afb9babc9ffc73ca53871fcbff856347f8ec25203936e13d4acac76d8489d2e3b5bf6f894cca4a4c07cd338cca9b74bc40

  • SSDEEP

    49152:SnAQqMSPbcBVWRdhnvxJM0H9aEau3R8yAH1plAH:+DqPoBUdhvxWa9n3R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3317) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d84b4ffd93cd5a2b5581a7d06965db3c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d84b4ffd93cd5a2b5581a7d06965db3c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4156
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1600
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    73066cb0b124925b94d56cad03e8d924

    SHA1

    e3dc4b59bb59ea7f112c2915f8ad08a08b98471a

    SHA256

    36523446dfe614180f546f07be678e5ca1fcdb1af603b6367b2f7063c9389c30

    SHA512

    760055d5f169d2973f769672a57eb303b20e1ebb242e8d24df10b76df636612399a65c9ab9667c7e374179506c0578423c2eb11d0f2943498d57c47cc2cb2024

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    1baa65378f18f5fa8af049362c856994

    SHA1

    737d21e1623acb763e66177b13e8c5cacb03f2fc

    SHA256

    606476618eaec9bc7850d7c37e91bd7bbd2314931d76dd0e75e3e69d3355ff3d

    SHA512

    b246eb364f951422fc88529997efd3875a09fdec701e088b700dbe526581fccba830f5b4e95f83757bad50660bef7dd30f9b628ec20a94ad066ff8442a95047a

    Download Submit