Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e979124c81143e8fb75bd63e7b07df00
-
SHA1
54c94581e0d1c0d082a10c3d6169ebec7155efea
-
SHA256
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9e
-
SHA512
40342b1f80e542f490ec42f4face1ebff2c2e1c94aac55f939c2b07026e5947f343487e05ea0bbc68d1d420a3a7f0b14e767b308272fb341af4e9040d06cbf93
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0Q4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVQyAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3484 mssecsvc.exe 1640 mssecsvc.exe 932 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1220 wrote to memory of 3848 1220 rundll32.exe 82 PID 1220 wrote to memory of 3848 1220 rundll32.exe 82 PID 1220 wrote to memory of 3848 1220 rundll32.exe 82 PID 3848 wrote to memory of 3484 3848 rundll32.exe 83 PID 3848 wrote to memory of 3484 3848 rundll32.exe 83 PID 3848 wrote to memory of 3484 3848 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3484 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:932
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56fa3a464bd9df87c164a7650619634ba
SHA10c363ba86938102fbb55f8f0f1f2ad8a1953cc5a
SHA2564049d0b5d878855fabc4338cf8f6b8a5f7604d249c970df5b4552186601f1f5d
SHA512379512b5ceb023b78730fd3f8245413d990e4472861d8910a08baf73e291988fbb15f5d3135ba291f81b263d41cb6c0543b14c124967d4a6fc3ce2b0365f74ec
-
Filesize
3.4MB
MD5a1660f6e4fe9388cbb251ca4d6b352e6
SHA1db0686ae7886b54983fc86f876b015c59deaa0b3
SHA2567902974c078579c6e8d28694cc6026854d53fedfdc34dac83b443089529eea4c
SHA5126c432cf003dd1d04897a610f38c6b20f4acf212378803becf70dc0c3ad3197424d5fd7e17f81eeb7941f35a3e3207f3daccd13371f8d715a6277e5343471854b