Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
03096422415d2c4c983d39eb6b290145
-
SHA1
97f3e8e2eee42c0016e4483ed291cac4aab1fce7
-
SHA256
4d29758ba37b2e04b17ced84f9662b2afe2ea2a0253c344fa2ae2cc519812abf
-
SHA512
77ae845aa662d8f9ecdee86fda1002ebbf5c851580a1365e01d385f87a25f5e2dff471645a426779ffe0002a1196165bffcb1a6b0a38e1a463993a6188a95c96
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3185) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4344 mssecsvc.exe 4104 mssecsvc.exe 364 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2764 wrote to memory of 2712 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2712 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2712 2764 rundll32.exe rundll32.exe PID 2712 wrote to memory of 4344 2712 rundll32.exe mssecsvc.exe PID 2712 wrote to memory of 4344 2712 rundll32.exe mssecsvc.exe PID 2712 wrote to memory of 4344 2712 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4344 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:364
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5963c866614ab00596a3a335e0ea85f53
SHA19a3e2f950acb6b8cc1b44d4c254d4c4f0668a944
SHA25616ebb03232914b826b48b00c8231ed80fa83fbe6e76afc864c55e33d47b94181
SHA512942976c5c6ffee5d0cb80a2f10d531a3daebf9e51fc8f8e8c7886aef8012ceed9d6cd9cd92a1920c81555b87e970d122734bb09558a5e7259c2f983c3771f06d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD549ebfd1f74d61f1addfd4a03ae277198
SHA164981e9feef4244c7d5b583cf8caa0043327e1c4
SHA2567428842afbd1d547e28a861d9c00704ea0d9e891140666ae1867766d96f63559
SHA5128679a4ad2ef64b32bf13c57a9957e069acd44a95c09f755a0d25281b0dfdd89eb18ba8fb53efa49f9035c0a5eecde4c2ffcfd7093186d23b0fb07dca25394222