Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
02420505830101d5633fd68ba3a62685_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02420505830101d5633fd68ba3a62685_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
02420505830101d5633fd68ba3a62685_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
02420505830101d5633fd68ba3a62685
-
SHA1
2166f4b0c0eb29fe283fbae7116c518b235bb7e3
-
SHA256
ea099596630fe3ae3bd5ee95f34160126e3bc347bf91251011b0767a1c591f94
-
SHA512
542692c40ba7ffbdac02807d058bd5fa70d1058936913414d440cb8e7734a4ee5aee22acc270d96bd09e5631feaf1c72b32732c23c17d7e8d96fbde998644c04
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTd31HkQo6uAMEcpZ:+DqPoBhz1aRxcSU3k36u5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2660) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1244 mssecsvc.exe 1952 mssecsvc.exe 824 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 880 wrote to memory of 2540 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 2540 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 2540 880 rundll32.exe rundll32.exe PID 2540 wrote to memory of 1244 2540 rundll32.exe mssecsvc.exe PID 2540 wrote to memory of 1244 2540 rundll32.exe mssecsvc.exe PID 2540 wrote to memory of 1244 2540 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\02420505830101d5633fd68ba3a62685_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\02420505830101d5633fd68ba3a62685_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a29483df1364dc32e6b25ebe75972208
SHA1ce72c64eb4b8a2c9156ff23261f0dddc6a9326bd
SHA256b5f4f785368bb394d75a296e39505e81065927bcda6630962d6d8c3a6838e71a
SHA5125d16eebfad1e2fc0c8cdba9d89bb905b7732d2ac5d3b6e60c05e8a9e4e160c6b4e306c2665a6dc8cfaff6282d95e3c1bcc0345079efd6baaf63e7ac1ab518841
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53d4c3be36f39bd91bfdb5f61ff265f3a
SHA1ea2c72af7cbd60462d42d3362c86403fd0a454bb
SHA25631ed7aaa7c2c55baf8045b42f4eef4a6d076e67853bf1f33660924c24afbf04e
SHA512879414492ee70a0b82de9d4aad635640464bf2bf5cba4bd8c4091a3ce755084faa019a363cf753721e41109de1d38d606b9d618fb225162979808587c83bb661