Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f7b1bd2aa9ce09a273243560db7bad8a
-
SHA1
2d682b3a9bf4d09d8d2fa3986cae4a194764a273
-
SHA256
67e6c96d995da1cf7052d9c27ac740c5b42fc5982b79f53ceb201b0a8f894663
-
SHA512
ab4127003fddd41abb8b50f1737b3a1552f7932724bab6d9d1c30ac1aec500b801a72873f4160c421abe7da60e60d4275dffdcf68aa583ec73abb57df082bee1
-
SSDEEP
49152:RnpEKUvxcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1pyvOBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4348 mssecsvr.exe 4932 mssecsvr.exe 4472 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240618031 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1408 1556 rundll32.exe 82 PID 1556 wrote to memory of 1408 1556 rundll32.exe 82 PID 1556 wrote to memory of 1408 1556 rundll32.exe 82 PID 1408 wrote to memory of 4348 1408 rundll32.exe 83 PID 1408 wrote to memory of 4348 1408 rundll32.exe 83 PID 1408 wrote to memory of 4348 1408 rundll32.exe 83 PID 4348 wrote to memory of 4472 4348 mssecsvr.exe 85 PID 4348 wrote to memory of 4472 4348 mssecsvr.exe 85 PID 4348 wrote to memory of 4472 4348 mssecsvr.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4472
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5d61fdd87eaac262a8a77080ee54edb46
SHA1121b1edae817d516515080d8c06225f34b1fce04
SHA2562777e4e00f60f7fc101c3181c782a83ec306425ce7d9e72c6e42fde2a4247168
SHA5126c520701fb7eb28e9417507f9426f2dabbd624009df8dcfab8b624b13b8041a5b88ed62fb99321ebeb2fe8c35746e541d1b88f10597d384e58f4f1811dbb05ba
-
Filesize
2.0MB
MD5c4640e5a8a68c8aa313e8127a1d797ed
SHA13fa7396d3bf4a070f426a5ac2d3928cff2dc3eaf
SHA2563d5891d7cd3c675aa40d8671866375750385ad58bf75bfc386954c3aab4ea241
SHA5120a1b1057ff7dcdfee7f86142617b2ef230f53c964c9423c48e347dcf21c8a4186ed10d1dfe1a90cbde321adf4da51865205e47800d9e59d0c1dc8db76bd3ef1c