Overview

overview

10

Static

static

3

fbdd06d58f...18.dll

windows7-x64

10

fbdd06d58f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbdd06d58f1bfb4b2f9949e92e2f171c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    fbdd06d58f1bfb4b2f9949e92e2f171c

  • SHA1

    afab7bce6cd2ec2ff55b7da57cae5a6c6386acdd

  • SHA256

    512a9e7fb06d8289859b47c6e4b47e8dcce207e7c88069e4f20fb316efd3ec69

  • SHA512

    5fb0409839c90fc3a25ffa4ed590a1e165b546b37e82029ad0c6512e31a1755fe979a1b0192c4d9823121f96dd770c6d52c77cb320bc44393854ebf26bfb3d0c

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3347) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbdd06d58f1bfb4b2f9949e92e2f171c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbdd06d58f1bfb4b2f9949e92e2f171c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4172
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2116
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5fbaf4daa1037b875630506730cb99ee

    SHA1

    cd1f493fc1e62a16675e63188504efaa01a6e78c

    SHA256

    79dc8ad2e8990190a541901d18b02e3f41197262951c5b725f890c5c8d347895

    SHA512

    2083307f789812f85d36b9a38356e3bd3eb5dacb494165d7c7ff53f6f3658dc5505d4a29892db04d7a8477bd2fb779085ae9ea67c5d24052929a672fd72b4170

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    51108918049744524b09e6d3ac74a41a

    SHA1

    bedee035d59584cfc541f27b19b49117742df922

    SHA256

    a7eb5417b09874d888643f3b46fc74723b211312a9149192cf120127c8ad5d7d

    SHA512

    d4d1138fd947efb61ee3c564a48ff41f6198322ff8064c75101a0fc89c669e9751c4ec68fed1ec7ab608583018d461ba771c4dda20539b6eb02e1c54bf9a8da4

    Download Submit