Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
03c083659265b8d8b5ba2cd0fcf53305
-
SHA1
82796e2cc166c0afc0b9a7fce3171647b61662dd
-
SHA256
ae0ce95c707b06a3119b12561a152c9d0da4180d0cc63fcab0fc1592a6db95a0
-
SHA512
f4471156f83e834e9a3da8112f7aa24def78660519e8a158c646ea091f31740c45c80ff8c8ea2df4b28588e8a100917fba8754e99e50a67a6115652dff6f2eed
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2664) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4664 mssecsvc.exe 692 mssecsvc.exe 5016 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4888 wrote to memory of 2676 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 2676 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 2676 4888 rundll32.exe rundll32.exe PID 2676 wrote to memory of 4664 2676 rundll32.exe mssecsvc.exe PID 2676 wrote to memory of 4664 2676 rundll32.exe mssecsvc.exe PID 2676 wrote to memory of 4664 2676 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD574635b9cc0eaee4a49906a44c82c820d
SHA13e5c871df5dc29cffc58e613340e0903a95287e9
SHA2564ce0a9ad9b1069f76e45d80f2d52b7c87c1973a7079191a6e6750db651e2e2dc
SHA5125d1414063c31a7016ef2af9d17cec3fa7c9fb6ad28bcc473e951dfbea1ecff3879443fc416d0a7595109eee3f7efdb185f75b4887d06faff4acb2de2dfd1fdd7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50d29bde2befdfb72c424f7217f294043
SHA135120520cebd59083648aa18d1f3a193ad7365b7
SHA256ad591135ff110af6cc08f807e725887c29b6d10e28ee7844cafa5133fa488199
SHA5122f9f8d760acdfa64b566841b38cb7e1240f8e3b70c7a97ff9b63d4176c7fff0ce356eb48384518ed83a9f6fb407239d59ce9bcb0d910f66b9601f613087c4981