Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e7dc469ddece531137ede07b94bfff3d
-
SHA1
eea0ed7f4c11185fd0c5aaaca6b00d0ded3a27da
-
SHA256
90e1c09b917ba911cdab1b1051cc5ca2a9dd13238764188d6742ecc8e822b378
-
SHA512
77144aa6ea5a98345d49a97f0ca0be7bd36bddfa70deb36afd8dcfc02f6bbae0746c856630e0c798a57886c69817d54882278a5a3fe6f42c753a6a78917e9fee
-
SSDEEP
49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:XDqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2836 mssecsvc.exe 864 mssecsvc.exe 4668 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3620 wrote to memory of 3000 3620 rundll32.exe 82 PID 3620 wrote to memory of 3000 3620 rundll32.exe 82 PID 3620 wrote to memory of 3000 3620 rundll32.exe 82 PID 3000 wrote to memory of 2836 3000 rundll32.exe 83 PID 3000 wrote to memory of 2836 3000 rundll32.exe 83 PID 3000 wrote to memory of 2836 3000 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7dc469ddece531137ede07b94bfff3d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4668
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD55c0bb3e625a472e8219a0cdc25ceff0e
SHA12d0ee877bed090e4879d9c921d716d97fad28a8f
SHA2562c5f953e6ba448a06f44c266d82155fc947c2a07bca6d0581dbc84f919a02335
SHA51298af64e5b506a06daaffc9756fd8b116d24105d29c6cfd35eb4d64adb14df4a478fbde81b4cf082f2d6b60e29f4032c9005de65488998a37883188a94c97d694
-
Filesize
3.4MB
MD53233aced9279ef54267c479bba665b90
SHA10b2cc142386641901511269503cdf6f641fad305
SHA256f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b
SHA51255f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e