Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 17:06
Static task
static1
Behavioral task
behavioral1
Sample
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e9965bd5de99ff82cf91603d126fa6a5
-
SHA1
01b2224fa44cf5246a1c572c2597eee1a45a6bf0
-
SHA256
33b5630ab1d80689c8644dcefd98a037027009c336ec14dfd10a214b21110333
-
SHA512
8dcd5716762beff51a9a36fd03d1385086275d9526fe6d43112c0407f66e22b9e47080361e7ad70f619a08ec07881b915ccf3d42883da93ff192995e6e941c25
-
SSDEEP
98304:+DqPoBhzTxcSUDk36SAvxWa9P593R8yAVp2H:+DqPeTxcxk3ZAYadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4676 mssecsvc.exe 2248 mssecsvc.exe 1016 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4468 3536 rundll32.exe 82 PID 3536 wrote to memory of 4468 3536 rundll32.exe 82 PID 3536 wrote to memory of 4468 3536 rundll32.exe 82 PID 4468 wrote to memory of 4676 4468 rundll32.exe 83 PID 4468 wrote to memory of 4676 4468 rundll32.exe 83 PID 4468 wrote to memory of 4676 4468 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4676 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1016
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d9202038c45f98fd99e025c07dcdff94
SHA1d657274387578a54ca74507ec7a6528468426419
SHA2565a71f2e86b516c3ea15a1fecd56c0883f0969abd3f8867f8f7b88a9a177f5a43
SHA512fe17e73e39797cb277a3c421a97668b20d698788b49a07b1c87d3741f1c6a0748487c1ddbea06db39eec027b37069dc51e7ab60eb2e746ca7c36975817b65388
-
Filesize
3.4MB
MD5c1cac710562620c5ed1b2784518fdf1f
SHA13ef49cab7c4561f95496650f3aa24619749879cc
SHA2563086a44e93c777fbf952e57884fcc00be4a043ee9aea8fdd6ddf1410e8115d1d
SHA512ae6ee4ed5916910a2a192f92716cddcfe1615da80691bb49608496037e3df264b14ff0daf0c6745ba41cb05d19d833811fd0357a0f46afbea2467ac62b078e36