Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 09:31
Static task
static1
Behavioral task
behavioral1
Sample
e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e6855434ad2a02e8bc34813775695668
-
SHA1
ff68c8f1f3b9d8954f77d6884bcd29d4c7d48af1
-
SHA256
1c2cb3a8cbcfd685562e382651218cc0f0b18589482402ae4d3c4a5ab266c39d
-
SHA512
6057946841388660d82708aaac0fab22547d631b1a2c0dfd0aebf56ac07116ee583fe8dda31e45fa1e1069791cf3f42cc699639a47556b778bf546b8847545af
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3292) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 5 IoCs
pid Process 1388 mssecsvc.exe 1408 mssecsvc.exe 4324 tasksche.exe 3840 tasksche.exe 4408 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1348 3840 WerFault.exe 94 2960 4408 WerFault.exe 108 4168 4324 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 752 wrote to memory of 3308 752 rundll32.exe 89 PID 752 wrote to memory of 3308 752 rundll32.exe 89 PID 752 wrote to memory of 3308 752 rundll32.exe 89 PID 3308 wrote to memory of 1388 3308 rundll32.exe 90 PID 3308 wrote to memory of 1388 3308 rundll32.exe 90 PID 3308 wrote to memory of 1388 3308 rundll32.exe 90 PID 1388 wrote to memory of 4324 1388 mssecsvc.exe 92 PID 1388 wrote to memory of 4324 1388 mssecsvc.exe 92 PID 1388 wrote to memory of 4324 1388 mssecsvc.exe 92 PID 2036 wrote to memory of 3840 2036 cmd.exe 94 PID 2036 wrote to memory of 3840 2036 cmd.exe 94 PID 2036 wrote to memory of 3840 2036 cmd.exe 94 PID 4324 wrote to memory of 4408 4324 tasksche.exe 108 PID 4324 wrote to memory of 4408 4324 tasksche.exe 108 PID 4324 wrote to memory of 4408 4324 tasksche.exe 108
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6855434ad2a02e8bc34813775695668_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\ProgramData\rbeoqsjruepbaol925\tasksche.exeC:\ProgramData\rbeoqsjruepbaol925\tasksche.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 2526⤵
- Program crash
PID:2960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 3245⤵
- Program crash
PID:4168
-
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1408
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\rbeoqsjruepbaol925\tasksche.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\ProgramData\rbeoqsjruepbaol925\tasksche.exeC:\ProgramData\rbeoqsjruepbaol925\tasksche.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 2523⤵
- Program crash
PID:1348
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3840 -ip 38401⤵PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:81⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4408 -ip 44081⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4324 -ip 43241⤵PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c223a0feb037ab17cc273a40856395b0
SHA1d4f498435c23027ee324bc93494f871dfe8ad7a9
SHA25647a0caff0fa7159652f377ab3ac01b70771aa45cbd3b1567f752194c38f4ee6c
SHA51269ea8339e33c5c7706411da7e2d0c8d2b8cdd4516f72a05aa62ba9093014e3d7542345af9c00e9f36c53f674b1cc2a6546bdad2c303c1cb3aae795bbdba01be9
-
Filesize
3.4MB
MD5e56fca813e300a87483824b2924a9b45
SHA1e2055d48fc7999dd8cc9f5b3e94ba12948d5a8e2
SHA256bf9b9e4b3b71a9cc47af24acbd525dd76a7c956049029e714c3e31b21507c70b
SHA512246a0868b687a0ed8c22b5cfcdf8a8b36d3e40100c8ddad65a491418192889ba9a77ed238ed3c921812a1654287b7de437f89a014070dbf3f5378c547cb45e10