Overview

overview

10

Static

static

3

db0e21080d...18.dll

windows7-x64

10

db0e21080d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db0e21080d696dcefd706893e48915d6_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    db0e21080d696dcefd706893e48915d6

  • SHA1

    e058a928e9105fdc7d7db2c2417218092e97fbef

  • SHA256

    3e332594fc7832af004031aa1fb8b8fd939e4c976cd98a782e38f95a41dce4f4

  • SHA512

    dd2de5172f1a0a38f784d5304a3a48d4c30afedd83d1e7bf692bb60839cb34feb661984e9ebf8d7af288ed0c640c067038e0e84481fdffc755763083f506bebc

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3329) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\db0e21080d696dcefd706893e48915d6_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\db0e21080d696dcefd706893e48915d6_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2900
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2892
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    8773102e5c3dc6a0d101f45ccea7a6fe

    SHA1

    9b0e563aa83f000ffe1260bb25ab506bad9dc9da

    SHA256

    2869ad817d13f8434e7ca284bc6e1a0ca2024483bf732085e33c31bb881f8dbe

    SHA512

    ed6d2fc8eb000c525ebc86af491728ae7152c2aac347163391f35ac67dd6e6af167bbca9c184d1bce0fa032a9fcfd1bb1b375afe24e6c6dd19a990150ceee531

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3f958022a754e5fb9494a51ebcf96c52

    SHA1

    7d5b179a2deda11444765068f669a9d0022098de

    SHA256

    2e8c6a4aaf0d9a1c559b1a8b93a6e4f72e4b5d336431f40fe7e61c5d63b4a714

    SHA512

    036ef8c8c8bf106a6bcecf2a8771c01df41c5ab0060e3f09129fdb0f2cc774c14022a3cee6efe21fc4c2dafd33703618da15a0320b44b3be5db2d2af1f51f151

    Download Submit