Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
088db61bc2fd814f90d823eef06d43bc_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
088db61bc2fd814f90d823eef06d43bc_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
088db61bc2fd814f90d823eef06d43bc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
088db61bc2fd814f90d823eef06d43bc
-
SHA1
11da20f275d7c348a09a40a0e19534a88d2f8f3f
-
SHA256
1cd20b7e2c44e83f24171e30ce9ae1ca9472fe21390c5adad316c950ba5d8aad
-
SHA512
0f95adcd936246fbe8a2e8bcce435ef14cc1921d95acd418cf0379d8cf1c1b059513a08ddced96e0eac609b82ef1d55ccc15fc0dad25b8138bb308325e33f5c3
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQ2AMEc1:+DqPoBhz1aRxcSUZk157
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2667) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1348 mssecsvc.exe 2788 mssecsvc.exe 4548 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5104 wrote to memory of 3916 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3916 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3916 5104 rundll32.exe rundll32.exe PID 3916 wrote to memory of 1348 3916 rundll32.exe mssecsvc.exe PID 3916 wrote to memory of 1348 3916 rundll32.exe mssecsvc.exe PID 3916 wrote to memory of 1348 3916 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\088db61bc2fd814f90d823eef06d43bc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\088db61bc2fd814f90d823eef06d43bc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1348 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4548
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD521dd3ebeacda1f5fd688d51b34b98ee0
SHA15e9f5de0952f1e8331f408b17d2f29fb79607f46
SHA256d74531831a60990c90412b444ebddeb5490c3ea4c584955d8acfa01b0fb753e1
SHA512ebbf97cdab383daa4d7a2aba0065eb08873fbb6df1b4fbd773ef82aeb9d67e1e2b1e69c22292b15ae5c3b1f215b8d7d69db01fc232dee405f1c6d2855c5504bf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bd68305c7fee05433b8d6149813c94b4
SHA1f1603e1fdfd3afaa01e547a6f48a10542ddaa292
SHA256adfe293c1be1efa39317344cc77343183552f75e9916390064964eacdc97acf2
SHA512b23d1d106fbd26207d43051585e2f12839c11657c7bdcfe1a8acfbd65cf8015d33d7792927267c4c24061ee3c2512867d6023a518c04b6fae016d5193d3edafe