Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 04:08
Static task
static1
Behavioral task
behavioral1
Sample
08fcc691d7754903c5416a297dd1dbc8_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08fcc691d7754903c5416a297dd1dbc8_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
08fcc691d7754903c5416a297dd1dbc8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
08fcc691d7754903c5416a297dd1dbc8
-
SHA1
de7e6b86cb14a6e505b0a5a76647807b9ec7f2dd
-
SHA256
42fceb80ac61e4bbe6df61a648ea17971bfb8ef4a7e62937cf1ede95165eb937
-
SHA512
7209a5803a4bf03aa4b436f16815a0d1696b9636de6fae24869731be76caeb125c652b0fd2f33d67cd70a4bd555987ab61fa54e9c47597fbdb17882a7b07488b
-
SSDEEP
98304:TDqPoBhz1aRLSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPe1CLxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3360) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4276 mssecsvc.exe 4512 mssecsvc.exe 4020 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4756 wrote to memory of 1932 4756 rundll32.exe rundll32.exe PID 4756 wrote to memory of 1932 4756 rundll32.exe rundll32.exe PID 4756 wrote to memory of 1932 4756 rundll32.exe rundll32.exe PID 1932 wrote to memory of 4276 1932 rundll32.exe mssecsvc.exe PID 1932 wrote to memory of 4276 1932 rundll32.exe mssecsvc.exe PID 1932 wrote to memory of 4276 1932 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08fcc691d7754903c5416a297dd1dbc8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08fcc691d7754903c5416a297dd1dbc8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4276 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4020
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5480ce0c2338d788424e8e61ad8301d04
SHA1956b6609c9e6a8544b42dd877566cfebb5123391
SHA256d66c922d659d7c37e968d061a4b0227884b1fd34dc17c23798fe50e08d7c8ba6
SHA5123d55c09aa60b18861ea92eb555d8c04bf8d9d4a836395bc83bde19886fb57ea7852d2431570fbb971816aba7d60a1ad2f1209c0dc8324ac83065ee0aff8f174a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5efa6ff40e62a14e1a14a2ca271e59c6f
SHA18c07fcbecfa9e0847fcfa28ff35c7912c7c10b90
SHA25616a193003d91e8532d21050de329fa733d6b52a1274a6a7039b11deccacf9908
SHA5121212c650c2e03edc60e1ab917cde8fc310baf81a9ab7e9def2e3ad9ba18df04a838900167e4fc4bbfce7b157619dcee2537edd092a6e3320d42376c2e56384d4