Overview

overview

10

Static

static

3

fd8298ebba...18.dll

windows7-x64

10

fd8298ebba...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd8298ebba1dc354cd09685e4545142b_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    fd8298ebba1dc354cd09685e4545142b

  • SHA1

    f9eac2afca1cf17a5f6938a4f2d83fc6b30b5d68

  • SHA256

    3f7f0404c5ebf091c0f79f3b4351541115f7634d6f41d16b607f54cac1b69f89

  • SHA512

    d910e8a057f5c11375657b0cd48d3c4a58cfd338f71eacda1f477e0527f3025e622dece71967ff96e1ca93ad9fe4c9908caa36d6d91a5ef6875545ec91782caa

  • SSDEEP

    98304:+DqPoBhT1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPu1Cxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3340) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8298ebba1dc354cd09685e4545142b_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8298ebba1dc354cd09685e4545142b_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1448
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2248
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5b7ab954103cef132b1d333729ae622a

    SHA1

    a1db6c2ddcbbcd2c7a3f7bf50f3b012c6b974557

    SHA256

    48c216ef9688aaf9dc2680cb3e9eb10ae13d4ad3e663a50007cc47b226c73f9a

    SHA512

    c80bf957acbeb8a0685a1550ffaf2a3dca8d79e5a223ed92052d58f770574dd1131375eea6cfa803d38a66e897f4174a8a397317e299e13bdf8898df99ba495b

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    43bd6f578da5e40d92f9cb4ff6adde2b

    SHA1

    73a62b848a276eff63cafcf3261a1f0ecb83d6b2

    SHA256

    73b1b10cc67e25e21bcfb955a6a5c286e98ca1fc0c634c33874e63cd39ee9227

    SHA512

    61fb6807f5c31f51709d49a3ddd873e34d9c8bfdf49a9ba04dedfa2070ee7fb08aab42ab343d550b13b42cdcd1333d76f8d30a5ed0725b58153f45d7aceb5020

    Download Submit