Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 08:50
Static task
static1
Behavioral task
behavioral1
Sample
fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
fa17aae4f396459b7d591759d7aaf033
-
SHA1
dffab299632a5623bb931eff5bfc23c25d4fcbea
-
SHA256
27f7b4b45546af6c1b3fc3edf05bfe824b907b8a09751ede40d364790f87dabf
-
SHA512
f888cb03d586b8521211f3210ff4b4daba54d8bebb29eb87a82c479306f9838ff1ec75e5e2f78d914c6606793d93da26feb8203c9b50b3af29d94c8253fb92d2
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3157) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1700 mssecsvc.exe 4752 mssecsvc.exe 4876 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1640 wrote to memory of 532 1640 rundll32.exe 82 PID 1640 wrote to memory of 532 1640 rundll32.exe 82 PID 1640 wrote to memory of 532 1640 rundll32.exe 82 PID 532 wrote to memory of 1700 532 rundll32.exe 83 PID 532 wrote to memory of 1700 532 rundll32.exe 83 PID 532 wrote to memory of 1700 532 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa17aae4f396459b7d591759d7aaf033_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4876
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58b94c01d4ed92cddd2a98dca4d3cd83b
SHA1fb2f71a3bca69a080e7d2497abed2c8285ec0f2f
SHA256699fe9cfc6657e23448ffb95e785069371d748baed406e449c4cf6d5ff710aea
SHA512af752a347c707272069391133a39a1174b768d5c9505fa5ccc4216e728f0f9da9ce8536cbfc8f5f037d35afe571dd6deaf47daf22c27d0f8f1b7a9ce8399eb9d
-
Filesize
3.4MB
MD55782c5c239f03decfc8914a49d1a8e6e
SHA1d9b7bc94d39da13d77a61faf0d51eb73e3bfafc2
SHA256eeb6e79c4331d8595a5a030631d817d7ee83b8a21e091e210fadc96df9b53734
SHA51289814c9ff80b751198a1ba1a835e08a46481a654ab2cd1fa354811a5536c7dc24db68ad1012d4f655119d345c5f92140c5d40f378232bb94e4bc3ac40ba99125