Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f1ab4343d91972fc89d6a597b7972c14
-
SHA1
0eac99c98689df0c6d697255666942847234d50b
-
SHA256
f738a899a5bc57660de6acbe5120242323d88927b6314b66258058e7bbc6bd37
-
SHA512
f66b48a39a214295aef1b0a7c49bb62f4986dfd974214623e8f410c394ba3ca36024e1b2cb370e9d8c72150b278c94d576006e3a521d881ef5794b08c2361945
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5sp2H:+DqPe1Cxcxk3ZAEUadS4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3245) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3032 mssecsvc.exe 1884 mssecsvc.exe 624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3676 wrote to memory of 740 3676 rundll32.exe 82 PID 3676 wrote to memory of 740 3676 rundll32.exe 82 PID 3676 wrote to memory of 740 3676 rundll32.exe 82 PID 740 wrote to memory of 3032 740 rundll32.exe 83 PID 740 wrote to memory of 3032 740 rundll32.exe 83 PID 740 wrote to memory of 3032 740 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:624
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d2ed4595df5b1f5619f90b258eb26fb4
SHA120277158ab5e88f7dacc3e5a5cb129ed60cb2156
SHA25694d1f118a3fc9638e847598c6638d07bc059bacecaf6610fbdb8326e5350b907
SHA512013bec709ce6edfe5ea7c28731fa57c82cae40eea6b762f6063afa14d517f6cfcfc329350e9ba7f3492f3405a727895c14c8c822d01d7b2d3ec36e7836e91b14
-
Filesize
3.4MB
MD51bd09d8afb4d0c32bf8834a71d04d373
SHA121e8a2ac3d06ccfec2eae891671f2a31a58a82c8
SHA25664ce6c1b7a5976832f49e15084041160ae270487695df5bbb0390323303e4ff0
SHA5126c1509046a0660ba8c74e0ea73a9803f3787d0813c2e40140c1c9d524f6bb9822922435731f4804ba4dc7a346b8de8a1bce66b0a4879c8d4b9cd2297d8cabf01