Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e257c4df597850a5f8ae0d6958058073
-
SHA1
b882682ae8172635ec290a0b52b6a00e7dab3fdf
-
SHA256
31dc3260893218b8f2c0b0dc8005dc19d0ea2445828146398502a7a3ecd13335
-
SHA512
118f9ff9dcf564cee406d0b57d14758765050056cb745fec5a19c79924442c4dbed79dba63b35ae823e06dee9c7f71554616ad39fdf2f740cec10f53c7956662
-
SSDEEP
98304:+DqPoBQRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqP7xcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3940 mssecsvc.exe 2912 mssecsvc.exe 3448 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4412 4852 rundll32.exe 83 PID 4852 wrote to memory of 4412 4852 rundll32.exe 83 PID 4852 wrote to memory of 4412 4852 rundll32.exe 83 PID 4412 wrote to memory of 3940 4412 rundll32.exe 85 PID 4412 wrote to memory of 3940 4412 rundll32.exe 85 PID 4412 wrote to memory of 3940 4412 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3940 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3448
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50c8d6696eb10e1b05fbc19778770a231
SHA1b0f909a35883753ff75a53802cdd85bb3d25e8c1
SHA256a091a04020d3663536d37152a1a8610c9cb720a90f481c2e02d913a57ef24c92
SHA512b38186f7e5adfb674a8b0a024a26f57aa399239ce851d397e354223035e4cb7fe7c519eef36ed75d1e42e12b82203a935a42f5d08da0ffaacb1e630216344c3a
-
Filesize
3.4MB
MD505d88bb878550c22e3aaf330e7e07724
SHA1f826bbe8a19ad1688e56d2ef6debca1eaca8dd4a
SHA256733da0e6b0c8287759b967437156b8b5693ba581373f031a076df5e97daf60aa
SHA512567fb9010cb53dc7d0174888b91d0cb651d8ce56b794e006b719d2089961db211a43de41f06205a82da3d1913244d710201fb6a0f1678058c96b6683238221ed