Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
e784d58fef062a471c059c9a07a2e29c_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e784d58fef062a471c059c9a07a2e29c_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e784d58fef062a471c059c9a07a2e29c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e784d58fef062a471c059c9a07a2e29c
-
SHA1
21b57ff4886df68dd401aea1bdce2b423021613c
-
SHA256
7cd6d125eea23cbc42e1a242ad2c91db2e4e79a26266f00f3d7ef88720763ae5
-
SHA512
a727d2156ea9c5237e60c91dcd0574e231617c8b4625b492b95cd582bf12a57f93a1f4a66ec75332c022804edf4e37774476c218ed93f6569a360d1f076151ee
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3218) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4396 mssecsvc.exe 4380 mssecsvc.exe 4572 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4648 wrote to memory of 4120 4648 rundll32.exe 82 PID 4648 wrote to memory of 4120 4648 rundll32.exe 82 PID 4648 wrote to memory of 4120 4648 rundll32.exe 82 PID 4120 wrote to memory of 4396 4120 rundll32.exe 83 PID 4120 wrote to memory of 4396 4120 rundll32.exe 83 PID 4120 wrote to memory of 4396 4120 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e784d58fef062a471c059c9a07a2e29c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e784d58fef062a471c059c9a07a2e29c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4396 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4572
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD537a61307a8714c3005bf1a3da3980b02
SHA195fc105534f605e1249feb92bdcbf276629756a2
SHA256531fa5a1b26836d491992a48dcbd7a98963578ab19e5af1f3269fbd309052a7f
SHA51231d0782943bcb96b0b56f508c60ccb24fe086f804ca751b68b2d1124b57b009e23bf3871cf4546c90cda7de941456b696f298e4e221b2bbd777fce40918f500f
-
Filesize
3.4MB
MD550f0d6961f4433eaea5fb1df87cb5cff
SHA153d176a5f23edfd5ecb70a4a3a22d5c01b019e15
SHA256a9ea9416d59b36c4648dabbf723e076315a2ea8f0ff7da9f203ad9a4ca91d296
SHA51233ce76e2d0c84c10410561ddee39e7cd3becae81f2d8d0f1d9b20f2f3b22a8881e994284160320e6ec2e273605375e0794951c2e1712c104f2bb7b5dc94e17e5