Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 09:17
Static task
static1
Behavioral task
behavioral1
Sample
f1b8e2c637bf140bc2e3ea4197f37a57_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1b8e2c637bf140bc2e3ea4197f37a57_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f1b8e2c637bf140bc2e3ea4197f37a57_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f1b8e2c637bf140bc2e3ea4197f37a57
-
SHA1
f4f5227520d3744002abc6f91123dba1d4086074
-
SHA256
7ebf8807ab9516bdab7a68ce3fb619ea35d3d3286568003e606aeb8193b87137
-
SHA512
78ca472fda2a4a253f67357177a9fc6b2679131f9d8716f440878bfc799c753fdfeb658089eb4d8627ab4e8d78349cde21c248c2eecc19b1a853fd554a57c851
-
SSDEEP
98304:TDqPoBORxcSUg6SAEdhvxWa9P593R8yAVp2H:TDqPlxcuZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3310) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3160 mssecsvc.exe 3360 mssecsvc.exe 2060 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4680 wrote to memory of 3808 4680 rundll32.exe 82 PID 4680 wrote to memory of 3808 4680 rundll32.exe 82 PID 4680 wrote to memory of 3808 4680 rundll32.exe 82 PID 3808 wrote to memory of 3160 3808 rundll32.exe 83 PID 3808 wrote to memory of 3160 3808 rundll32.exe 83 PID 3808 wrote to memory of 3160 3808 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1b8e2c637bf140bc2e3ea4197f37a57_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1b8e2c637bf140bc2e3ea4197f37a57_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3160 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2060
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD501e80fa6fb4c35b92c6a17e6e39908b6
SHA1d5815951b9f7c96140bf4a7e05d6d68aef47a3a0
SHA2561a56af0858c11269bd6c2e7813ab8547711ee695967c80c828de73f33c79627d
SHA5125d8881a000ec007dcad303eba65e03eaee1605c32dab250fc693101bd83b10011cd41a7f5805ed49c6c2caf817dfd2832c998ab38866db615a449bd3f523cf70
-
Filesize
3.4MB
MD5c67370bff1116518ae392fac1e453d62
SHA174fd8921bef3675520e2d27f22e9c6eeda79c1c1
SHA25624c6141afaf83d86f78a0fb859e61f27f896dc1c527f59ec10252c735ca2cd90
SHA512a046fabad30d7cc1b57214c82770fc100c26847eb53ce33e94dcac908191a74c31a0e166d28aba6f1d635a6e615cc7976dc7e4cda0e583f668598cb7e2dc4c56