Overview

overview

10

Static

static

3

edbd2dfd63...18.dll

windows7-x64

10

edbd2dfd63...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    edbd2dfd6334fb23e5bf3faa24556a4a

  • SHA1

    d98673cd23f664b32ced72a47e94c9dfe2fbc41e

  • SHA256

    d20278b518a4592122279ad93c96fae5ad9fdca4dc038352c794f5030dc6d54c

  • SHA512

    793008c5e90e7cdaf986f8d489320ea39bba074797583593345fd344b11e7643862c2849bde9b732cff00144780eeada91f7d51cd235fc5ca30ac014ac98ab8a

  • SSDEEP

    98304:+DqPoBhz1avBiGkEJMkEBaXTddktRzVJr0O+jM1BU8C4q6ohRMkP/:+DqPe16BiKqkEWcZJAdG68A

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3216) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1652
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2832
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    432b9974f5d2d125836aa256c0561c35

    SHA1

    47c9d035c8f3f597f1edf1b30fcefc503663a004

    SHA256

    657d88e66980b8fd5e59288ff183fba1263e2c07eb743a9e2b2db9b1696fd34b

    SHA512

    057e64217ef94b2a727928558e89305c8dc830679d2f2511d505b2e670aad9fb40d91df0b561aa9c578a8ac5bc8ecf6ffccc034db58ad707bf424e387c82b2fb

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    a544fceb57911ff07042edc3f297b00c

    SHA1

    c7ab030800401d9ac174475d4429a41731930bef

    SHA256

    5edc477c1b65657cc143ce3abad4d764c45ce4e35de859313208a3eca9202a80

    SHA512

    192dd15dde13a8e866536db96e4d68d1e67903f305fe2f770cb052cc178b0504674c4d98d3d9068e34b2fd74733693cb420320d2a8a817fcea9805f1a5e8b13f

    Download Submit