Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
df36dea50835289e2bfaa623724a5c23
-
SHA1
d78fab0eeeca60fe2a4269ddc1e81b4b35472d01
-
SHA256
f1e276efe42dcb89b2c061bb14c68c9db8d15bc1647f849475e1796992eacbf5
-
SHA512
7281cd01b9a3efa41fd107abb55dbd3b0bdff92b7d42e51addd14998752a958dac3621f050a173adb5e753f53992861a3170577faddaf4fba8675bbb2a3d7ade
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvnUxuxZwLFGjaOgdN:TDqPe1Cxcxk3ZAETKOS02Oy
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2576 mssecsvc.exe 3708 mssecsvc.exe 1096 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4840 2916 rundll32.exe 83 PID 2916 wrote to memory of 4840 2916 rundll32.exe 83 PID 2916 wrote to memory of 4840 2916 rundll32.exe 83 PID 4840 wrote to memory of 2576 4840 rundll32.exe 84 PID 4840 wrote to memory of 2576 4840 rundll32.exe 84 PID 4840 wrote to memory of 2576 4840 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2576 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1096
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d97fa7effec66c70c1a804e56ee2d6f9
SHA166b2e23045a3528ef5a97112da44233462bbbf2b
SHA256e69f1c60f66b43b8536f267af27456b9022ebfda4e5a694b42d0d07fe9c67ee1
SHA51276965a2a0ba4974988efdc1344d6639ec71be178f59f79b9bf9fbcf5cee2810d0016207e11c4679c4c3ee18e14afc75397c2ec4033ea72973bbe014a90b79f16
-
Filesize
3.4MB
MD5a545c54887b60c7ae0468d102ff79221
SHA11db8fac4a5931060c88c077f575fbbe0e421c90a
SHA2563e190b7c5993fa42c58ca7233b5f46be6fd1621a2ab1256c93ec0398bf322424
SHA512877e2787fb798786c94d2fe7ef7860c88c4e1980f00a91d788e5c70643181a7a8deeecb529f81419971ae02957b2ad1699a808c5214d3acf75d47acc356fc3df