Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll
Resource
win10v2004-20240910-en
General
-
Target
f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f944d90ab5a048bc14ebab034d23dc7f
-
SHA1
e75b1c7d1893e77214067c934ca1b11bde6ccd02
-
SHA256
091cf8784c8152b9401e26d4d02418fb84626fc1a4a6542c0f954e0af8595586
-
SHA512
05e8a23bd97c74ac6e7563b2e2dd2f367ba9fd686070c641a3e1ffe18e3b49c6ca7d0dd283348c26833ed5c93e62c439b8c18a8b7e3c13094872b8e94e55beec
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA4rHV7YoG/QCkc/balAH:+DqPoBhz1aRxcSUDk36SANYod3c/22H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4616 mssecsvc.exe 4516 mssecsvc.exe 400 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1188 wrote to memory of 908 1188 rundll32.exe 84 PID 1188 wrote to memory of 908 1188 rundll32.exe 84 PID 1188 wrote to memory of 908 1188 rundll32.exe 84 PID 908 wrote to memory of 4616 908 rundll32.exe 86 PID 908 wrote to memory of 4616 908 rundll32.exe 86 PID 908 wrote to memory of 4616 908 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f944d90ab5a048bc14ebab034d23dc7f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4616 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:400
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD533b563d53ec86880abbbd10bbdc59108
SHA1473ab4a7f01de0c8803de76f7aa9a0268c324ab2
SHA2569ecd5c2255db9c62ec729b9637f9a9ad76f759b65c2f4f237ea02222a4b3c562
SHA512ace31e626ee27bdd64ce3bdaa74812f5ba88feea9d52e05b429cbf152cd8d23ad258e62b23e24f6f3f48dac114cf9a15c77514456453be876ce8e33ea864050b
-
Filesize
3.4MB
MD5e75e8b988235fb617c957ee8ce2cb3ef
SHA1d20d2bfa9177287ec025e6972b3597c98cdc7b74
SHA2567e2e8a0b85e7cdd73ce2a73f5480b11f37793085505f12913aef72b6c825de99
SHA5121b924a62f25ce06f170c158dad80db4ea692a791be8d3c7167e7e4b9e7137455c7a912684f4282e80786e4244f940b6c420c3f75c6a508d734946a395dc79159