Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
f0fa71254202486a4d3fbf5085a93be8_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f0fa71254202486a4d3fbf5085a93be8_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f0fa71254202486a4d3fbf5085a93be8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f0fa71254202486a4d3fbf5085a93be8
-
SHA1
66607b832d867c09c86e001ccc99c560d3a2e817
-
SHA256
69f8b23f36c5fa8f8f67d17af01709292e0c29bd49c3c018b2410d869aa7fd5e
-
SHA512
fc42144a4b847225e9fb8559f325c49fbf92607c485a148163f8b1612dd2c16e8a1ad92c062d2d31861e3a9b953755d6cb45140203b102b79bdc3f404b244f37
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPV:SnAQqMSPbcBVQej/1INRx+TSqTd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4744 mssecsvc.exe 4604 mssecsvc.exe 1388 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3968 wrote to memory of 3064 3968 rundll32.exe 89 PID 3968 wrote to memory of 3064 3968 rundll32.exe 89 PID 3968 wrote to memory of 3064 3968 rundll32.exe 89 PID 3064 wrote to memory of 4744 3064 rundll32.exe 90 PID 3064 wrote to memory of 4744 3064 rundll32.exe 90 PID 3064 wrote to memory of 4744 3064 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0fa71254202486a4d3fbf5085a93be8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0fa71254202486a4d3fbf5085a93be8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4744 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1388
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3768,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:81⤵PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5227456eb9bea44c4c3db307bf8dd4b0d
SHA102a2db460828ffc5677ec6b1b9634b4601852cdb
SHA256b583df88836c30588583d167fd72da896706ff725c07a1ee7243b33a04474e55
SHA512038ae686871ddb835fb34afa49853dfb092b3845f7a47fe3f58b532118cab65bc38ad4f73595e119c7fa75bfa5d3bdcb4a59ebb13a06a66fdbdd7c1e9e1d97da
-
Filesize
3.4MB
MD598cd60a861aec71fd3207002df70ca53
SHA1b2b4b10a286cc7b482dbb39fad72dd7a8422a45a
SHA2569e99c7816bdd4af43590c251536825d1aba3f2dfe165484fa65440364db0d8b7
SHA51295b97f7f72502127583b86a14508a9968cf4d41e7a89473928ee5c1847ea8efd74cff261ef2ef06ae84293d36e2644eb579fa8f960a8fe3cfedf105268684e3e