Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f954b974b717c77f377f9efe747fbac1
-
SHA1
16db73d8089233d16c0454f7833d6345d15da871
-
SHA256
be82a36ff7a1f80fdd04123552815fc4e4cd61b7791f42240c08976b525fa546
-
SHA512
f715d51082c61fcc0749886cbb9afb3d635b5cb314f99b56eec1663d279c403f0d655cd985eb5799472dd2ab7276e9252751733464032a96313e9fa3f566ef61
-
SSDEEP
98304:+DqPoBhz1ScSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Scxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1880 mssecsvc.exe 4584 mssecsvc.exe 2864 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 224 wrote to memory of 4416 224 rundll32.exe 82 PID 224 wrote to memory of 4416 224 rundll32.exe 82 PID 224 wrote to memory of 4416 224 rundll32.exe 82 PID 4416 wrote to memory of 1880 4416 rundll32.exe 83 PID 4416 wrote to memory of 1880 4416 rundll32.exe 83 PID 4416 wrote to memory of 1880 4416 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1880 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2864
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD569762a3f6b71e9ba5afb0f7c4a162e94
SHA1004a5ea2cefe96c4a4d7cb461bb225b93d82a8f3
SHA2566656d1b3958a6a5b2a30abc7f43908e291e081dfa557152e0c06a04a90890eca
SHA512a7a080f4aeb56d72df5d5ee81387b61133de3b9f0d1b430fd6b7e35c4f0e8c9d34138a93e1c1d665e979c6200bfef81665257855b5cb08a5164a85906d391b6b
-
Filesize
3.4MB
MD54b6bc9ea17de240e52381814b492d436
SHA1e625b78de22525b4913b384e6271a40342b6f394
SHA256f2eaeca5d307d4265ce81a652f3c2777e49d61af9902614476b471b87c7e0f60
SHA512d38c6df79a1a81a45de83e2a772fbabc06cd43ad45cc81730e888d6fa20acf959d4ac0ef8fdba4cb1fcb958ded4f9a77df76f208f2d8118b75ee00556889e2b2