Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0c166c3b9e6f879ab7f33115d5a252a1
-
SHA1
fba4b04f54ca357eb1dc3733a95fb6fe5a9c514e
-
SHA256
92d633e2d8c94ffebb60507abc1e7cb893c4131661e1b41fa7032a6dda6b76aa
-
SHA512
ad5bfaec08933783500af6867110ea0329071da68012f33fa31feecea72c4a19e3c027d9065f18c2a4e35fd32787172bae57d9b5b94d1f45ad4022f9e439b9c7
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2892 mssecsvc.exe 3128 mssecsvc.exe 1948 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4120 wrote to memory of 320 4120 rundll32.exe rundll32.exe PID 4120 wrote to memory of 320 4120 rundll32.exe rundll32.exe PID 4120 wrote to memory of 320 4120 rundll32.exe rundll32.exe PID 320 wrote to memory of 2892 320 rundll32.exe mssecsvc.exe PID 320 wrote to memory of 2892 320 rundll32.exe mssecsvc.exe PID 320 wrote to memory of 2892 320 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2892 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1948
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51746e65adf2fe07b737bb5764cabc2e4
SHA1dd36351521b6584791d5b6fb939142536b71e604
SHA2561a3341416f9f7b3bfac2648e4d00148bef03d4608a8dd17c2363a8e0cf0dbc0b
SHA5122e24058fd5497663e0f82b9039cc6eb7586c6c1674cb10b881f7dec463b6f9df1beee3327b889a6664fd76e68ff0b758c201ffb7c8dc00932f5996b380505a1d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bdcd1b50b28cdd7e1bb29004ac43edd7
SHA1c892dfb02d544d7a4b58b47b25d4717cecc49786
SHA25646777ac11360c778db1f288990885a5a144f0b82e9e3632c3d64218bfe4cd1d7
SHA512d03ed482cd25c2c797c04a024733dff0a450119c59f1c1a03999187503b3672cf05fcdb093baf69015a5e16cacdc120fa807e5e2d497814101d2c009afc7ae2b