Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
e1f7deeef4b6178d3c34fb841b604a2b_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e1f7deeef4b6178d3c34fb841b604a2b_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e1f7deeef4b6178d3c34fb841b604a2b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e1f7deeef4b6178d3c34fb841b604a2b
-
SHA1
f911e4bacce9e350ac9b54262120e220371e2d4e
-
SHA256
b3042f515063612a4511006e385d3815ca67fd549f82344f64aae99d2859d4d0
-
SHA512
216ac5306715c433d296c2f7c0e617160f134680772a0fb5d9a73533856ed58b67aaacb3da5fefc8c35a5946712906f5a4792cc0a63fb98e8c5d130608aa4cb0
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5SAVp2H:TDqPe1Cxcxk3ZAEUad0c4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2300 mssecsvc.exe 1684 mssecsvc.exe 3996 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2596 1056 rundll32.exe 86 PID 1056 wrote to memory of 2596 1056 rundll32.exe 86 PID 1056 wrote to memory of 2596 1056 rundll32.exe 86 PID 2596 wrote to memory of 2300 2596 rundll32.exe 87 PID 2596 wrote to memory of 2300 2596 rundll32.exe 87 PID 2596 wrote to memory of 2300 2596 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1f7deeef4b6178d3c34fb841b604a2b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1f7deeef4b6178d3c34fb841b604a2b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3996
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e288dffc8045e3f9a6813f2b694465af
SHA101df650effcaa05d02c5d1c4f507f8d696c51644
SHA256844516d09db5757468505cce881fb9e86ff7e1c7d482d73c1eb9bb4b464b0a33
SHA51202d6f2e1fd24431f58ac76783b958b4c2b7aa20f85b4ec25a0c84f403e821ae41294bad5c78dc116c927496f87004495de34e26a278c811180ad4ba9049ad9f9
-
Filesize
3.4MB
MD59030734896766d8809ecb2c65bc8305b
SHA14de9913027b9407e6b0392c2e60283beaa6bab9f
SHA2569ab74eaa64bdd2e982671ea666e805bff98eae3d8fdc3cd9b9c90e6cbc51ae6a
SHA512681a0b83b0e081ee1789c777185b08ca48fd1eec7f28c8853735e31aceacfc00ee93b222565472742284e0adfa0233b111603b4c9ca5ce51f20fa7538b0b32af