Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e592dd2cae721ac8aa51f347606ada8a
-
SHA1
b383467235c9f59fe3bf02ef1072e5dcb6673d15
-
SHA256
67cab1567aff6376cad332526db12abf5843182bd625d96be7751ce3a2885b4c
-
SHA512
91d1334c3734ae0f71d5347054787337548bfc7835506098647bcfee3d2f0231daa7700c23a2d87f09e43c36a544d4ee07755e63572eeba73a817d50d2b1defe
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2jeOT1:+DqPe1Cxcxk3ZAEUadzR8yc4jeOT
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2656 mssecsvc.exe 3096 mssecsvc.exe 2176 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4964 4896 rundll32.exe 82 PID 4896 wrote to memory of 4964 4896 rundll32.exe 82 PID 4896 wrote to memory of 4964 4896 rundll32.exe 82 PID 4964 wrote to memory of 2656 4964 rundll32.exe 83 PID 4964 wrote to memory of 2656 4964 rundll32.exe 83 PID 4964 wrote to memory of 2656 4964 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2176
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5254a847075c5a76c84051f065af16af4
SHA1b8011e7f6c60c6a10aee0bf6dc89e400a8977597
SHA25630a020af1b4e6b5b913609b99a65d4cb4038bb96118b07803058745f593c6062
SHA5123369f1e309106e89f4fc9d2a13222ebd0f06e905e9bf2e2ea7e17ae8634ae0eee314a55cc6e1e5f5a9621a880197ba0de7810fd80193f52993ba3cbe6a785801
-
Filesize
3.4MB
MD5e65b8d548d35f90e5d39f974914d4f13
SHA18efe91191f549f6923b31bfbe515807b8acf9154
SHA25679b3701623167a48ebf8a9e93026315605e67f469cf629a1ee24e8cbfbc52ba6
SHA5120d701b481e16a151028cb19212124a9a5ec39703ffc69a51b794f400fa33f30ad4d4b4f5b022e1b81f873306bdcc434c9b36f3d44d2edf77758f0262cea25bf8