Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f0ef77078d8bc749aa1ad95bcb39809e
-
SHA1
393352ed47f06ce2f5541dbb3f4cc2be947df68d
-
SHA256
52012d343d88ac4aea4f23a56c3e88dc5d49fbb93b09d4122f3669765f83aa81
-
SHA512
4c4a55696642f966f7f9cac63840ade7f69b216efdfa5e8111b06d00387cd54bf5e886a3dc08f73d9b0817cf01c69182f79eb276d7e1966e225437821ad1baf0
-
SSDEEP
98304:dDqPoBhz1aRxcSUZk36SAEdhvxWa9P59Uc/J:dDqPe1Cxc7k3ZAEUadv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4588 mssecsvc.exe 3260 mssecsvc.exe 2248 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 960 wrote to memory of 3228 960 rundll32.exe 83 PID 960 wrote to memory of 3228 960 rundll32.exe 83 PID 960 wrote to memory of 3228 960 rundll32.exe 83 PID 3228 wrote to memory of 4588 3228 rundll32.exe 84 PID 3228 wrote to memory of 4588 3228 rundll32.exe 84 PID 3228 wrote to memory of 4588 3228 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4588 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2248
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bd63334b0cf37d9960cdaf9d9b906e6e
SHA194d7e008c2c80de47618ff9da673853224367b54
SHA2561c2e7c899edffa9b5e49ae17e8bc791210d180811762d27e7fd4fb85b814f650
SHA512359acd9acfa62d8081dc06e8d98aded8ab361594a4c74527867e086337de90b00c70e86f36c247988cc673eb8fbbe5d5bf03ce1126f693ec153839f5bb1d5b49
-
Filesize
3.4MB
MD525b3f59c1057b7ec22a2df41aa0a22e2
SHA1c18f662803403c51d6a008c409da62c65a890c77
SHA2567d32e4ad2e665920a3aed4e5adca29f40e1ace3c18096533bb4d445bead8d323
SHA51209f38478fb77515ffa9d14e98601e2cc9a73bcd110a230690e4e5c094ad6d05319b2a5c52b3cea08805763069f4929d4f0dfd323369164460bd22ade906ba55d