Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
116da80da197df9be520b7645bbc690d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
116da80da197df9be520b7645bbc690d_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
116da80da197df9be520b7645bbc690d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
116da80da197df9be520b7645bbc690d
-
SHA1
d44af8a3934ea9c96cdc20fb4ac464da103b9a2b
-
SHA256
ff30fed5d92ff55998b4660934a9c08a207d7836e31ac376611ab12e4ca368ae
-
SHA512
ef83fd021fb27e9393f207ba2bf2b4001cf60da450ed0b51e8571e76601abf6e8da3e401170934d66090c322babd04ad0d49fce1fd7ae0865b6a9036ab4fb472
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqz4Xhyls6Es47gz2:SnAQqMSPbcBVQej/X4xy66ZWg
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2688 mssecsvc.exe 948 mssecsvc.exe 376 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4780 wrote to memory of 4328 4780 rundll32.exe rundll32.exe PID 4780 wrote to memory of 4328 4780 rundll32.exe rundll32.exe PID 4780 wrote to memory of 4328 4780 rundll32.exe rundll32.exe PID 4328 wrote to memory of 2688 4328 rundll32.exe mssecsvc.exe PID 4328 wrote to memory of 2688 4328 rundll32.exe mssecsvc.exe PID 4328 wrote to memory of 2688 4328 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\116da80da197df9be520b7645bbc690d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\116da80da197df9be520b7645bbc690d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2688 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:376
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57787e47e84763340fbfa014b468aaba6
SHA111a3438586a3ba1a2e2ef5268cbe9b096629332b
SHA25610f59b2878cf42e6b34568c0b58babc57aa271fdd716051e05176a9aa60bb471
SHA512aaa96a959288663065822a6b1e7dccf53519137da0f1c4a3cb156c62518ea19634fc4f7c02b890929638c7bb33e9534087149083c6f1840abe2d163f93834762
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5917d18da323a85f96ecdf23df2132392
SHA1f8951b4ade4051cbd61c60ed8ca1575dc2fc436e
SHA256a436eadb06e7ab6e9dd2875865b9c9ca9f8fa70b010e155282c11b4ed110dcab
SHA512d63326d792e64f529591dd4b413b7b4c4713513ce81500b6cb7b1f99337697a9575a9471ed7dc8c5968dab5d312e652625db33d920f1ca4dcada68127d0745e6