Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 05:57
Static task
static1
Behavioral task
behavioral1
Sample
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ecf874f3dec4b878c266f1f79c6b782f
-
SHA1
83e08e4e744a3021701498829a6a6d16cdecaf91
-
SHA256
336122b459686f4dbb10d860c4224d7aea6161d4de9b94cad5a43793f44a5774
-
SHA512
99c1ac60af920f89b12a6d72e03b2bb688ebe2cfbb1f838103e4951afef58dc433cdc0f34d8e349c0e91e0e4fc066cac20cbe4bcd9ee5dc4610b0ef69cc043eb
-
SSDEEP
98304:+DqPoBhz1aRxcSUDkEQv9Snm1tnr7I593R8yAVp2H:+DqPe1CxcxkEQv9Snm1tnr7IzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3150) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4568 mssecsvc.exe 2728 mssecsvc.exe 4536 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4676 wrote to memory of 2136 4676 rundll32.exe 82 PID 4676 wrote to memory of 2136 4676 rundll32.exe 82 PID 4676 wrote to memory of 2136 4676 rundll32.exe 82 PID 2136 wrote to memory of 4568 2136 rundll32.exe 83 PID 2136 wrote to memory of 4568 2136 rundll32.exe 83 PID 2136 wrote to memory of 4568 2136 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4568 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4536
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a39bbd5df277ccaa4c4b3313ab521ae3
SHA1a7216aa454b203cd0cf6ce7c9da276db19a12583
SHA256d451244d05dd302813b76f0296242280f4afc241e6dfa511a86ee63ad834585b
SHA512b074b4a46caa7cdcd67dfbe7d92daa201f562fa48f2de13716c3412be180301986a539573487fdae55f9b6143e907fbe5f701dc48aa4dd7aaa72493c947aa1df
-
Filesize
3.4MB
MD5e365fbb7d6c0fa05bdf10470e1c50aca
SHA13f983ab41dc8631112ffe0e7e4532c301372d6d3
SHA25664c098ded3d1dd72a78541f7b7228f2f051b4be9a5bb6d4a8fbce37a2ed37e1c
SHA5128554a6373d1d3fcc16999370e6352478cf6fd1138726985c5fc24b9bf7a3be621353ded90f8e369bf44c241a7fba7bfdc8c7fe3ddaff3de98865f62cab84d6f1