Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
f361db5dbee5112457fad8e3ea057f87_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f361db5dbee5112457fad8e3ea057f87_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f361db5dbee5112457fad8e3ea057f87_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f361db5dbee5112457fad8e3ea057f87
-
SHA1
772d7031158ab467528dd857949db3675de9a1fc
-
SHA256
34e22edd2350543f4b621924eb1bff7bffdd2ab7f7ddd30f57b01e7afb78b69c
-
SHA512
f7ff6809aa8e099754144a26795662410f028b7f88f3684002b7d37c5f7d862ae17dcd13883a2b69d1cfe0c2913bb5a3c9beee4ac70d5210199bbe8b42ef47e6
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3263) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3308 mssecsvc.exe 3612 mssecsvc.exe 4816 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3524 wrote to memory of 224 3524 rundll32.exe 82 PID 3524 wrote to memory of 224 3524 rundll32.exe 82 PID 3524 wrote to memory of 224 3524 rundll32.exe 82 PID 224 wrote to memory of 3308 224 rundll32.exe 83 PID 224 wrote to memory of 3308 224 rundll32.exe 83 PID 224 wrote to memory of 3308 224 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f361db5dbee5112457fad8e3ea057f87_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f361db5dbee5112457fad8e3ea057f87_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3308 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4816
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53bfa81f76135fde00d60ec79f0388abe
SHA1114f076d8fd91244dd9e20e142289b00dc941121
SHA2568d8db2b2ab82b5e27600a699a27afa4001b3694d42447f5bd2fbd7adc6440880
SHA512461140a6298057438e090477bdeaae80fd445cf62cac48af3e61eec5b5462952abc309321b37ae4f2f03f78e09519d148128fe1f4606756016cc6bf78a1ec283
-
Filesize
3.4MB
MD53233aced9279ef54267c479bba665b90
SHA10b2cc142386641901511269503cdf6f641fad305
SHA256f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b
SHA51255f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e