Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
f357e23d1e4cc689fc6610f42cbc1237_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f357e23d1e4cc689fc6610f42cbc1237_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f357e23d1e4cc689fc6610f42cbc1237_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f357e23d1e4cc689fc6610f42cbc1237
-
SHA1
f7b1718467ba6e14d4c31c265b6d9e0dc44aa34c
-
SHA256
a002834349dc85cda6a7d9b894ff4a98ff82ceac146ac3a2e7216a417d3600a0
-
SHA512
0de13ba8061ac0e306dc2a5bf184c70b20d6d5c9906cbcc081536851ede0a4f636b048d94b3a1bb721e389673c520ca4b6d0078c4a1e663201eb3ee7990dcb71
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3215) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2032 mssecsvc.exe 4372 mssecsvc.exe 3136 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2148 2912 rundll32.exe 89 PID 2912 wrote to memory of 2148 2912 rundll32.exe 89 PID 2912 wrote to memory of 2148 2912 rundll32.exe 89 PID 2148 wrote to memory of 2032 2148 rundll32.exe 90 PID 2148 wrote to memory of 2032 2148 rundll32.exe 90 PID 2148 wrote to memory of 2032 2148 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f357e23d1e4cc689fc6610f42cbc1237_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f357e23d1e4cc689fc6610f42cbc1237_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3136
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:81⤵PID:3144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56c954e6a273ea9f18936202ac163ab74
SHA10a7d2d88e0eddbf270b04874e56bcebe6757f430
SHA2561a39f2253fac0440c00f5a330251599229ad0a72ac12b4f6d75a2890db2e494a
SHA512f87d514e119caff3230b20f8d4ffff6bb7b34fc4d6022e827bc3133cfe32cc4f77fc19e53854ab7fc6f0e54105ef0970d03ef0ee618f4d832ee5509786f68cad
-
Filesize
3.4MB
MD5472f421bd895e3a6ec0c907a2c31f0f1
SHA19f339bc67061cde25fe1b4709459f3320a597a6f
SHA25650843a6e2394c40da22b0351392021c69dd0fc1c95ed91d652b0c0a613d20e25
SHA512bcbb85464e492885049fe8b86c88ff54a4ee1fae8ef068860bca7e59bdaaa7ddceed87fb4de03527e29841dfc5cd9eede114f18190dabffa481cd5b457c3da85