Resubmissions
26-09-2024 23:42
240926-3qeh6atgpq 1030-08-2024 18:53
240830-xjrl9azhpn 1030-08-2024 15:42
240830-s5d6tssfmm 1030-08-2024 15:38
240830-s27c7s1gld 10Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
cb211e0f58c5a58b0a035936c7d86952
-
SHA1
e256814cd2179c95a750bd2968acec788a41c8ff
-
SHA256
0ddfe514fb8fc1f583db27be85c703fd17ffe5b196a448ec50da063ee51d21b3
-
SHA512
9436d9d128f0234b14b853515bc2e7aadac2d921a2ac0517617d39c978bc6fc39887c76494b88475f372e98e361e3c77a5418455142dec243b77220e92c58757
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5QMS1:TDqPe1Cxcxk3ZAEUad2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
pid Process 3472 mssecsvc.exe 3688 mssecsvc.exe 3260 tasksche.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3484 taskmgr.exe Token: SeSystemProfilePrivilege 3484 taskmgr.exe Token: SeCreateGlobalPrivilege 3484 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe 3484 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3004 2508 rundll32.exe 82 PID 2508 wrote to memory of 3004 2508 rundll32.exe 82 PID 2508 wrote to memory of 3004 2508 rundll32.exe 82 PID 3004 wrote to memory of 3472 3004 rundll32.exe 83 PID 3004 wrote to memory of 3472 3004 rundll32.exe 83 PID 3004 wrote to memory of 3472 3004 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3472 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3260
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3688
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bd0440ee53439be9667c4fc3b1df9ca1
SHA167be8d71b611740a9539da77d93855e77538d762
SHA25634d61c7c1e1b202d287d5c6b35a6290a187a8a63f48c27f9afca94697ccd0af8
SHA512c314b620f434a834bf8d9a49706da570623c0db5fb40b2884088384d112ff0794792d57b20e4caf984a1ed358da1e90b86c6f4284a645e13fc787a8caec827c4
-
Filesize
3.4MB
MD50b41b3e89db68f65eeb362d7abda7216
SHA1ee51190126cdca9e2a579ab12bc5ad499318a5e6
SHA25681be92900929c8d5b9eebcb7ddd4c7a939b6df532747d1a8399c1777c6e64dbf
SHA5120dd83d84397b2643b1c44a578852c7b7523fcd2c9e0bd2d91454741950a9030b9eee74861f711ab5b57382f006f45cd0e054329c90c29ec2da8b6edca53bd8d2