Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 03:12
Static task
static1
Behavioral task
behavioral1
Sample
fdb0acaefe261bb6234b71718144da09_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fdb0acaefe261bb6234b71718144da09_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
fdb0acaefe261bb6234b71718144da09_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
fdb0acaefe261bb6234b71718144da09
-
SHA1
1836f968ff558509ca24eff208edc10d162fda9c
-
SHA256
244ba63744af25ee8281f609f63d8cab5d0328a943eb0f98060eca03ef3c8377
-
SHA512
fbf7ea45619273a40133436c0ba0fb71ef7c83e4a2af4d51f6b6f093bc73434b8dcabfff1f7f5e07334297c0740684e9e6d839ba4c61391f5eacbb2fe6258011
-
SSDEEP
49152:SnAQqMSPbcBVMAMEcaEau3R8yAH1plAH:+DqPoBS593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1504 mssecsvc.exe 1432 mssecsvc.exe 4276 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4952 1376 rundll32.exe 84 PID 1376 wrote to memory of 4952 1376 rundll32.exe 84 PID 1376 wrote to memory of 4952 1376 rundll32.exe 84 PID 4952 wrote to memory of 1504 4952 rundll32.exe 85 PID 4952 wrote to memory of 1504 4952 rundll32.exe 85 PID 4952 wrote to memory of 1504 4952 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdb0acaefe261bb6234b71718144da09_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdb0acaefe261bb6234b71718144da09_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1504 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4276
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f813d73319cef27050954a0b621bd6f7
SHA1e6a142059362b84fd48f79e29752cae1db9954b6
SHA256e9e74b16bff15b3be630712f9df27b3e7b4f413e19794e9d6f9fe405c939ae91
SHA51275881cf9d257815b69a1029038d36ac8ba49af29f3facd552208557e384f9b9981911588549021b065e7647af9b5b96d770aaf415308f67ae28e44a6d1739ad2
-
Filesize
3.4MB
MD5954c4c2b490695d3b0aff003079bb007
SHA1642a773284afc3b5751c8c1cac3c957ce9c62d6a
SHA256e50607d077ae54c8ee627a80d0007dcfb39647ac693db8543c0505d6560ef08d
SHA51236d4b5bdb915a990e201bf453b243de104e99f6bf499f32fa99ba13f6118a917f12260d9113b6c60fe7be15c02003290a5dd21b2523f8aa7437ec3f0b3f475bc