Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 10:25
Static task
static1
Behavioral task
behavioral1
Sample
fa3b6e257e61791990eb3c99a597ac37_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa3b6e257e61791990eb3c99a597ac37_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
fa3b6e257e61791990eb3c99a597ac37_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
fa3b6e257e61791990eb3c99a597ac37
-
SHA1
c1c1fc66810fa18f44c56af4c581b1b6d4b5e1f1
-
SHA256
1ab0b6dd095a065d8433ca65eef7af9402a442bc432ce4b7d167343e935beb82
-
SHA512
82c12a7633d51cc7f1b3e6dbbdb3e7496103daa69f4ddcbf2325996943f509513102f18a81b197285cf811c181c48f0158cd5127d2aa0ec36d8dffc8622de1f9
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhC:+DqPoBhz1aRxcSUDk36SAEdhC
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4656 mssecsvc.exe 2916 mssecsvc.exe 1780 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1880 wrote to memory of 3068 1880 rundll32.exe 82 PID 1880 wrote to memory of 3068 1880 rundll32.exe 82 PID 1880 wrote to memory of 3068 1880 rundll32.exe 82 PID 3068 wrote to memory of 4656 3068 rundll32.exe 83 PID 3068 wrote to memory of 4656 3068 rundll32.exe 83 PID 3068 wrote to memory of 4656 3068 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa3b6e257e61791990eb3c99a597ac37_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa3b6e257e61791990eb3c99a597ac37_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1780
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52d23c49a0329ff5605c095f8a6200b75
SHA1e38ee66e5a30e0784aa1e15c29e1e109e7245fa4
SHA256413f3d39554758acc607bc7e3b4c561697a89fb10deec4a8bd5434b275128d14
SHA512d5355b0b96cbcc347aadcb61a0b907d1729a3d57648ac453e337552b301f5ee564bdcdd8d7a8cff7d7a64c1c0b4252a44f597815151d2f45fbf2eeff391d8e97
-
Filesize
3.4MB
MD5e917420a1bb05be8eae636b717137449
SHA163b58da2db7450760933ebc1c28b1722b5a9f8f2
SHA25690c1cc5cf1317e1b04a3fee6a1a9c14a3cb77317e63d661bc4f0b27d4943d1a9
SHA512dadb131829bb663b8e516ea0b78cbc6026a6500165e2908a7d7265e964b206ac864f9704c40c388fa365cfa453987e57ba0c2c99ed5c992602ffe6d324be9aa5