Analysis
-
max time kernel
25s -
max time network
31s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-04-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
01028b2b86548e8c91fc9db5aca4cad2
-
SHA1
bb55d2c339fc64ae823e9025bae6579e23fd895a
-
SHA256
9e7ccdb8b108976057d14f9c2074bf8366d9533ebc58c607ff8976693455df65
-
SHA512
77da67ea8c0265af3ff5f3323f0a0fab02feb275e4578f1e09a50f4bdc1623313d3e9850e5933c6e4d0b7adb343b1969a82d16e2d7597f3eb28263a1f4707fea
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLTkRiwDnz9cEA5yYSZxN0:SnAQqMSPbcBVQej/1INnkRiwt/Zx+
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4724 mssecsvc.exe 4408 mssecsvc.exe 5032 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4624 wrote to memory of 1144 4624 rundll32.exe rundll32.exe PID 4624 wrote to memory of 1144 4624 rundll32.exe rundll32.exe PID 4624 wrote to memory of 1144 4624 rundll32.exe rundll32.exe PID 1144 wrote to memory of 4724 1144 rundll32.exe mssecsvc.exe PID 1144 wrote to memory of 4724 1144 rundll32.exe mssecsvc.exe PID 1144 wrote to memory of 4724 1144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD535ead6ca4022338cded8ce1a82b249af
SHA13fe41cabc566b24fdcfb096d93a4fce82eb0cdb1
SHA256fab3613a72427bb1c0a34860849ea8da53ae19564c1715ceeeb0e12ecb407d5c
SHA512850f13ed713551d1ff1a4cda7d2101476c5490a4d68c931974813409090290eaee244b829f8d3a05345ace871fe285f66505d52d5f6787de1f09f9fec04b9d47
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56d6ff7e1d9ec40890b49efeb78d35f88
SHA1aaec19fb5d7546204455506b4c8eca66f1409794
SHA25682efe3dccc13aa9259c043aae7ec695391828ca65f80f742e4fab22fc8d186a5
SHA5120574dcd16ea835d2530486778dbdcaa217047fa3ea21da4c83c8bddc7c43529d1b204a9eceb3fee34d58e1b56052791ae8742924a9ceba9b525c1576efbaf434