Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e9ce08afa289a2c8af4a638a753c6507
-
SHA1
90bc012dfa05a751a6889d62f6ade512583bcfda
-
SHA256
4e8eb80f86bae675ffb9249bf51adb34560917eb176558f365ed6bf178a07da1
-
SHA512
83dff55ce1b77db6b51559a2cca8ac43126d6275dfa1b6ad69aeebc458842b633249ab1734c49e2d2ea6d7be550ddc7bc39c5b3f08f698b9c088f40aa6111a19
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYSR+7H:SnAQqMSPbcBVQej/1/R+
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1164 mssecsvc.exe 3328 mssecsvc.exe 1440 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2552 1188 rundll32.exe 82 PID 1188 wrote to memory of 2552 1188 rundll32.exe 82 PID 1188 wrote to memory of 2552 1188 rundll32.exe 82 PID 2552 wrote to memory of 1164 2552 rundll32.exe 83 PID 2552 wrote to memory of 1164 2552 rundll32.exe 83 PID 2552 wrote to memory of 1164 2552 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1164 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1440
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD531c997c17202d1aeec62329cb90dd00d
SHA1ac78f7c6f6c600f5890d7dcbf51c40b775ab4814
SHA2567bc947804a598b209e546c08afa29d8e82448fdacf4c6d147ce721c7b764181c
SHA512297351bf5f3f746d177c96582f1c856ed38410cdb4dd22d0cb5859d45ddfec7818d46885c12b41b9301a50c9a1d2532f5b3483a088050c0aafe96dad1d5df49f
-
Filesize
3.4MB
MD58d2b38e8eeafe269d053c8fd41bd5fb3
SHA109f485dd337bc79d22c211508170f4b8fec35086
SHA25647515da81eea0f2f7c0c2f54f5cab028cb00c1b3e7b7ab8333fea3e16f0de904
SHA5123c97dacb8aa6d5180840a8820127a4b6d67ae5376404ed878c61c7dae27757100d3d55c226739a15b04402cf156d88ebe9406798c5f2a3d0f8e637de43c4dfc6