Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ecc23cb522f9026997a28c38f5c80d41
-
SHA1
8db667c16f8309062c91bbf753485bd92c13bf9f
-
SHA256
7b3e9d0edb86278d2fd623f6e531ace6bef63d6fe89784b058968fe630846d62
-
SHA512
176ac23a8402c686ca48da5e19c6e53d6ff37b394a8c7cea0b7d8c0a04220989d7d70c080c875aa8bec6606c7933af84025e9c2b3ad3e85a48216d33b7eb8eb0
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4716 mssecsvc.exe 1460 mssecsvc.exe 2812 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 948 wrote to memory of 2068 948 rundll32.exe 89 PID 948 wrote to memory of 2068 948 rundll32.exe 89 PID 948 wrote to memory of 2068 948 rundll32.exe 89 PID 2068 wrote to memory of 4716 2068 rundll32.exe 90 PID 2068 wrote to memory of 4716 2068 rundll32.exe 90 PID 2068 wrote to memory of 4716 2068 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4716 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2812
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:81⤵PID:4416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c41c7f9d97033d5612ce664b86575aa3
SHA1c9d9ccb26bec57c1dfff351b11cde35f2bda36d0
SHA256d097205785d6c4265ce7c4ddaeac8848fb38f7cd4405a78607b5b5bb2d539977
SHA512aa04a632e25f9750a642539298cfdc9fbc94213d8f42b03ac8721c0591933dd86df70de4b64ddaa2d75fbbe2766883928c0682b33d17742a7d0ed395a7aff60a
-
Filesize
3.4MB
MD50d53824fa26efe3041766fdff84317e4
SHA1d297b1dcb7cbb758f04677e8bb524b0d82b58887
SHA256af6a1b83122f7299a303583cebadbd223e9474833496a0d37818f4049116a3de
SHA5121bd665a1d36dc69af7b1628a397a405574bb3d9b3671173168cabca253d6370e6774a5262a3cab0e663e8bda753bd8a00c20b66ace79017a1ff39dd0e9fb2a2a