Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
e89d0aece1d61e784b90ec3a6ded092d_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e89d0aece1d61e784b90ec3a6ded092d_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e89d0aece1d61e784b90ec3a6ded092d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e89d0aece1d61e784b90ec3a6ded092d
-
SHA1
eccf19cf2e72fe3a9ba8986412f99475d6e9463a
-
SHA256
b79dc6bf0ed1c80ea5de36cb3356d43d8b6418602f0dc2524288876f569cf5ec
-
SHA512
bdd6e635d62f9c9f89f209ee5b4543ddab0b82aa15769ab629ee06631862f664c6824dc2464e4dff6f186b75ec422abea2f700deef8f747df87d6e18d48f3aff
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9B5p3R8yAVp2H:+DqPe1Cxcxk3ZAEUaPPR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4432 mssecsvc.exe 4976 mssecsvc.exe 4856 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3432 3668 rundll32.exe 82 PID 3668 wrote to memory of 3432 3668 rundll32.exe 82 PID 3668 wrote to memory of 3432 3668 rundll32.exe 82 PID 3432 wrote to memory of 4432 3432 rundll32.exe 83 PID 3432 wrote to memory of 4432 3432 rundll32.exe 83 PID 3432 wrote to memory of 4432 3432 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e89d0aece1d61e784b90ec3a6ded092d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e89d0aece1d61e784b90ec3a6ded092d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4432 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4856
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52140b744839746d60e9f5c7b98246255
SHA1f9a37764cf5d5847e7d78f5c0c311b96415ac357
SHA256e33e1ab04be3c988dde3e3809d9fac57c6535cac36684d012871f0268e8e05f3
SHA51203b718dea787636428c0278014154f8b7a202c5a7d3968f89c7450ff76c28028627efbeb2471412ca79a1f8abdbb6fc050b744d6171a11e28c6515b3fa7c9d20
-
Filesize
3.4MB
MD51f1e4a7d5483167dd0d1607c2dcd7b1c
SHA15b87ccb9ca336f1351d5bf689cc913e486d98be7
SHA2564c44352c8a74536b2349f09e6b03b8dced39a4cdb3ea5d16ea3b80af106b3b02
SHA512471443eb4f9c7e29eef4051ce3d73b6b83c9fcb4ea96c67658b251a03bef8e2eeebe55e288825104a0b18198a68b05b30fdefeccba8b5b9ee8a37ffe7c5f1047