Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 16:27
Static task
static1
Behavioral task
behavioral1
Sample
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e5283d7cad73eeb1085e3759669f7133
-
SHA1
e66ac36a28e118fcd4a317df4960e4c21c573f42
-
SHA256
222300534ae7c6e8390677ed8f46a5fdf0623e9cd1cec973ef36d3a33d618f6e
-
SHA512
c7f36a4379c78cf57ddc324422f121bd5e7164ce1e296368c09b07bfabcadca8bea4eb43e35d931c94b61ac128c6cdd1617b9c79ec363df1dbca64b6d8f84ebd
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9E93R8yAVp2H:TDqPe1Cxcxk3ZAEUaIR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3263) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1652 mssecsvc.exe 4512 mssecsvc.exe 4656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2088 wrote to memory of 816 2088 rundll32.exe 91 PID 2088 wrote to memory of 816 2088 rundll32.exe 91 PID 2088 wrote to memory of 816 2088 rundll32.exe 91 PID 816 wrote to memory of 1652 816 rundll32.exe 92 PID 816 wrote to memory of 1652 816 rundll32.exe 92 PID 816 wrote to memory of 1652 816 rundll32.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4656
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:81⤵PID:3532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52af2d969f584d38d43629d0b79f84091
SHA17e85ebd4b4eb232c4a308ff42df95dd1d95166bc
SHA256e29626b985d6149f9ff0f1d4ac12c0313deeb91d313f0b5b576782da7ebc83d7
SHA512bdc304abfabcbe21462b7be02e36e95eb79051a70261951baf2917f6d19d19f9f59680f6dc5f9b6a97b93643e2c361cd41d97255362a07372f719c25139eef59
-
Filesize
3.4MB
MD5f78a86fa8c5e78e6840fc0751a284d2e
SHA106140394d139c2db05e3e9f9fd5a67cc706c467a
SHA2563fac4ebb902c5af67b6a6a67732b9c4fd9c6cd8f9fb6860c023da1a68a28ac02
SHA512a63817d889c3ab74d0ef55018d22bfee9ef0365ff9f852becbda8dfb24320d45d68fd1733365a52ee031ad2b0de550bd68a8e3843ef1496de40ee36407601ae4