Overview

overview

10

Static

static

3

e6855434ad...18.dll

windows7-x64

10

e6855434ad...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    e6855434ad2a02e8bc34813775695668

  • SHA1

    ff68c8f1f3b9d8954f77d6884bcd29d4c7d48af1

  • SHA256

    1c2cb3a8cbcfd685562e382651218cc0f0b18589482402ae4d3c4a5ab266c39d

  • SHA512

    6057946841388660d82708aaac0fab22547d631b1a2c0dfd0aebf56ac07116ee583fe8dda31e45fa1e1069791cf3f42cc699639a47556b778bf546b8847545af

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3281) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\ProgramData\xzylnmtyo879\tasksche.exe
            C:\ProgramData\xzylnmtyo879\tasksche.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1928
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2668
  • C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\xzylnmtyo879\tasksche.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\ProgramData\xzylnmtyo879\tasksche.exe
      C:\ProgramData\xzylnmtyo879\tasksche.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 92
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    c223a0feb037ab17cc273a40856395b0

    SHA1

    d4f498435c23027ee324bc93494f871dfe8ad7a9

    SHA256

    47a0caff0fa7159652f377ab3ac01b70771aa45cbd3b1567f752194c38f4ee6c

    SHA512

    69ea8339e33c5c7706411da7e2d0c8d2b8cdd4516f72a05aa62ba9093014e3d7542345af9c00e9f36c53f674b1cc2a6546bdad2c303c1cb3aae795bbdba01be9

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e56fca813e300a87483824b2924a9b45

    SHA1

    e2055d48fc7999dd8cc9f5b3e94ba12948d5a8e2

    SHA256

    bf9b9e4b3b71a9cc47af24acbd525dd76a7c956049029e714c3e31b21507c70b

    SHA512

    246a0868b687a0ed8c22b5cfcdf8a8b36d3e40100c8ddad65a491418192889ba9a77ed238ed3c921812a1654287b7de437f89a014070dbf3f5378c547cb45e10

    Download Submit