Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
08dc108f0734ca16b6d0b460cfa4d0c0
-
SHA1
124ad52c06bbdbbf8c24870dc934c95f72c6c05d
-
SHA256
278e4c2c8aac93dc902d29f7b28f631635615c9e2e8bf7211b476b36a763c8a4
-
SHA512
ef0858975a37c826c8203d37899f649542a8df27993a163817f7cc4c6c6c06c7a4527d00c224472e4403261c74f4dc4f31aa6164747ea2e597f1a5a81480b0cc
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6XEauR:+DqPoBhz1aRxcSUDk36+R
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2672) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1724 mssecsvc.exe 3696 mssecsvc.exe 1868 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4800 wrote to memory of 392 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 392 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 392 4800 rundll32.exe rundll32.exe PID 392 wrote to memory of 1724 392 rundll32.exe mssecsvc.exe PID 392 wrote to memory of 1724 392 rundll32.exe mssecsvc.exe PID 392 wrote to memory of 1724 392 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:392 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1868
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD514d4a723552be20b4693a0e745fe28cc
SHA1b6166ab202dfaa2846d6d0032d5b06d480b8029c
SHA2564c44aa0340082e2355e34c3c0c8bff4acb82a9c6e13d0648c49c7a1ad31cd5f1
SHA5127b338244fab55524a574424bd273f2baefe2939f6b64f90ed2ce8806a5437a54acd034eb1fb1c4dbd365612d89b03662bafccb7ddafb8d1b5e501ffab7e796a3
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5977d14687ac48449af995433ec634112
SHA17696e47f7277f883ed5279253d8d44983cd39642
SHA25614ad323ba4a71502781d82377c795d42e2f3ebf76c8a5a54c20ecaf7a5782afd
SHA51223de95bb9a49e2e876d818f79873deb48ea55e99ff2d3df61fab7e540a8d1b04ed4d03b2eb565aa14ddb7a1fe0abd1a2e911eb24948840e9a20fc4b026294ade