Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 15:50
Static task
static1
Behavioral task
behavioral1
Sample
e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e976d16465fed8b651bbb7048627c6bb
-
SHA1
d74537b257ba5239623c339df5a276def07dd7c2
-
SHA256
758aa3fb563516108e710069a99b5e5f7a8a2b37ba18462b9ebaebd5f791137b
-
SHA512
b3bc2350883ad13784e5838ebb02eec3b26c2577efbd2b856f5d02dfc0f4b73514f0e95a480481823af7427c5fbd4822c247b55526d4a1b7ea596260d1f051f3
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWaRYod8V:+DqPe1Cxcxk3ZAEUa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3135) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4060 mssecsvc.exe 4396 mssecsvc.exe 1808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1916 2600 rundll32.exe 82 PID 2600 wrote to memory of 1916 2600 rundll32.exe 82 PID 2600 wrote to memory of 1916 2600 rundll32.exe 82 PID 1916 wrote to memory of 4060 1916 rundll32.exe 83 PID 1916 wrote to memory of 4060 1916 rundll32.exe 83 PID 1916 wrote to memory of 4060 1916 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e976d16465fed8b651bbb7048627c6bb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4060 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1808
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c462be8230e941984e90a06d38e64894
SHA1d495b0d84a79b29fe17d7a8134bd307a70b9ed3a
SHA2562b49f9263d4f977f9e56be0b6ae4468fba84e1908add67cbc077a55bd2f83c11
SHA5126fb5b4e786cc56f81fc4f3537ed553bc77d61da81447e0e1fb038332a03edadc39a36182c5f501bcb95ad822161c864c9afa83da98762ba20a572bd26ff2b07c
-
Filesize
3.4MB
MD5a839cfbbb9476e6c97d696fe6cedda30
SHA13c01d4adcfe88672685556c0e98fb5d407cb5522
SHA256eeca969e01d66a71a7ba803864f0de38a8018e7ff58f2cefad2a1a94ef9c27e9
SHA512233d92ae8341895145f400bf98bbc25b8c518a91d5e081ebd7f7d7c55d06c1a1ef641ddfb237516edf3a53b38891fbcc8cab1f8a7eaff83a4958c517fe6bc59e