Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f375b7c1c976f31b3240c66813994ae6
-
SHA1
d0f2c40644d44614c4e8491ab20ae658f554690f
-
SHA256
0fad304d3f2651eb3978f2ee99cb9d2de3b34696780b0d5f0991eca03ef81725
-
SHA512
4b245cb9fdbc0e4fab885aaf5715d090eef805b5dd8d5daca48f9eb4e9262527d76c82af2289f9a680be477f2dbacefac3e55c33a3337839e86768918664cc3f
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI1LJMfcH9PO6Lvp9d:znAQqMSPbcBVQej/yxJM0H9nF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3363) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4588 mssecsvc.exe 2100 mssecsvc.exe 404 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3432 wrote to memory of 3104 3432 rundll32.exe 82 PID 3432 wrote to memory of 3104 3432 rundll32.exe 82 PID 3432 wrote to memory of 3104 3432 rundll32.exe 82 PID 3104 wrote to memory of 4588 3104 rundll32.exe 83 PID 3104 wrote to memory of 4588 3104 rundll32.exe 83 PID 3104 wrote to memory of 4588 3104 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4588 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:404
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f9b167ef2037b103fc8fbc2aaf49c500
SHA12981d9b3d2bf53e7503a103c7d61c5dce32a0194
SHA256580bc13cb46b11268b6b2f7f6ab7c002e6a69d6ae0ffce76434d512f1f27ca6a
SHA512851484dd2fb92d593869960750e6f3767253dc63d9f13fdf0df6c18de528072b0d990af5913d8f5f5d3b36223c488578d168b6bf432d71422c01bd9205fa0bbb
-
Filesize
3.4MB
MD5fcc4371e7acec0a9b3e6ac7b9debeade
SHA105a9fb71fd5fd6144c697ca7a6e523d9330b3b4c
SHA2566cc40596d53333325fe7ce2bb415718035a1cf4eb819e762d79ed3297d51cd53
SHA512deb3fd026cb0ec187c517382d341c3cf1dae4cbefb7d8766053ad64a140dadc0149bf87ba751f6e4b5d23ee308ebaeb2ec0e29c8071b252d70076c6fa69d7224