Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0138fdefbd033db002dd80f58d5c4746
-
SHA1
95437a1c99f6e6869961195530309851ad476d70
-
SHA256
dcbc1a2b1401cbe81037a3230c9eaffeaaf5d98d6fdb4913ef724b88b3fbfecb
-
SHA512
8b5d4c4ef5fa9cdd096188ab2fd97ba1e72d963ed974823ab82188d753fe15545d2dbce3b43c951317f62469e4b80ca914c7e2488b01f8a3d26a8c2a8bda5004
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593W:+DqPe1Cxcxk3ZAEUadzW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2653) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2396 mssecsvc.exe 3936 mssecsvc.exe 628 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1936 wrote to memory of 3148 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 3148 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 3148 1936 rundll32.exe rundll32.exe PID 3148 wrote to memory of 2396 3148 rundll32.exe mssecsvc.exe PID 3148 wrote to memory of 2396 3148 rundll32.exe mssecsvc.exe PID 3148 wrote to memory of 2396 3148 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56cd7035ad95b883cec70dd0bb8c7be57
SHA1a391321b8d1c9c4c52474c17b2fb2e3a8429f9dd
SHA25660d743593e035097c9f630bf8321b77f841d9b96262ce04f96489508f52be1f1
SHA51219c83b8a766d2487d0c7a494678125d090f4246f4cee7a475d092f164421e937cef99414845f9cc48ecb9aebc13f2b8defdddf83283e75eacc4a0a95b59c5583
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53324f5c69e80820e2ff666b6d363c456
SHA187b8cc74cd315e146de6486cbbbef213fdea930a
SHA256e73c6b8ae883749cf482c1651c4fdc1442ab0c5f885ba6180dc35cdcebe0a86a
SHA512ca16ce718e7cf7f08be01a2d40d26b83b703c4c27bec1e8aac9d5c51f88355b16b1a32e9f52ab3e32bf1e8160c4f9f8691abb9b76aad10cf862ebb93d8244b3d