Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 06:17
Static task
static1
Behavioral task
behavioral1
Sample
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e1deb818ce0ec6b71634d1c46d41d7b4
-
SHA1
064c8156b32115de90de97015d5ac61c3ac65045
-
SHA256
c57649669ee9311d3e52ee536a38bb9731279f9e657718cd22110be01267a432
-
SHA512
75b0b55e62ba42e03eb5a200febcef0fc218dd84887526e62bbde0d15ad1422d37036214a9f23978112e57fc779c209ecaff3a87a29abe56afa1dbf16c91df78
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3307) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 684 mssecsvc.exe 4316 mssecsvc.exe 908 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2464 wrote to memory of 3840 2464 rundll32.exe 84 PID 2464 wrote to memory of 3840 2464 rundll32.exe 84 PID 2464 wrote to memory of 3840 2464 rundll32.exe 84 PID 3840 wrote to memory of 684 3840 rundll32.exe 85 PID 3840 wrote to memory of 684 3840 rundll32.exe 85 PID 3840 wrote to memory of 684 3840 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:684 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:908
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c6c5d82b78b441d3ea620ad93f82387b
SHA101d183659885faa8fe1adbcec810b80b679e5800
SHA256c3bbf2ebdffac24fda24289d47ba01b50d85f5fdd0e7d7d9d389427256fda14f
SHA512fd0115f47aa373c74c1f727fbaac3c2fa2ae877ae69d587668297e174a1f47e5a20f5b0f5ddd4e6c7e6fd5a74a3793ae1287de4695a0f860841bfbe76236007f
-
Filesize
3.4MB
MD5df3b3b0fec9986f94729d695c0def7d8
SHA1e8f57b3ed28c6079988319d037ee26c6f435251d
SHA256d67beea4e4b3fdac097709114a9b4a6a1218d0d5f65cc10b45ca0a24dd41f38b
SHA512d0fe55b1df92105a2f1df446bf3d87d82c93d145631b5480c76b6d1a900f7aaa63d17bcff6c9fc0f77282172dc531834870f08f850010f3757b1fc4f265b87b9