Overview

overview

10

Static

static

3

ed7cd9ddd0...18.dll

windows7-x64

10

ed7cd9ddd0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ed7cd9ddd0c1e1cf38f59e9e664d080f

  • SHA1

    6b09a1cb5f9f43bd961176c90ace84a3030aff04

  • SHA256

    d0535ad814de0ff7c164c849978445568d67ecc93e9d56b92a972d2103925050

  • SHA512

    5e86173fe6354ba764b2e2281074d3afd679fdc451de22a10b47a130945cfb22df3dece5c195016eb4f62240b093ba104b118bf40f52535fd5e84ec21ca67099

  • SSDEEP

    49152:SnjQxMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARxEau3R8yAH1p:+8xPoBhz1aRxcSUDk36SAE43R8yAVp

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3258) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3016
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 220
            5⤵
            • Program crash
            PID:2132
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3588
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3016 -ip 3016
    1⤵
      PID:3704
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3864,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
      1⤵
        PID:4332

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\mssecsvc.exe
        Filesize

        3.6MB

        MD5

        5dbf1c7a182f3a1467d7a64bbfe3f72d

        SHA1

        ce587e332b205c39936c60671c32490270a7a829

        SHA256

        786ac51de4a52f74c69e239b2a65caf8036da31e6e785cf4c11519de1d978894

        SHA512

        e3ac0a9d0a667d5571358e2014c6a9b3db5c0c276d5cf8e7fcb849b146416b019487541147c0d33b9c4a6b495163e06347fbf920e0c0ee2c094235e873b145fa

        Download Submit

      • C:\Windows\tasksche.exe
        Filesize

        3.4MB

        MD5

        c18443dcca8165ec96d671495ae9675e

        SHA1

        dfbf4ee502933dc96aef9d29dc3c2e35f053921f

        SHA256

        9e89a638ce8d9c47eed2df8aa7540a7a20e176302be41735a3985306758f0653

        SHA512

        240a8bbc3da3d4324a8d9cebe58bd2a76809470bb49e8297a704bef406d3f441c59df2b39eacb6a4a1401679ae1460dbe6c8313758524753ad4d51c41e587833

        Download Submit