Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
15d0052e957db640db952d6c54490080_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
15d0052e957db640db952d6c54490080_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
15d0052e957db640db952d6c54490080_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
15d0052e957db640db952d6c54490080
-
SHA1
a87133dcf3d701ec0e693cab9d47666cd9333d87
-
SHA256
e9cff5f99299ef3d6815db4e2f3d58a55be0b66ac0ab7a1fb6fcad31541351a8
-
SHA512
11b08d73581b9403e506ec0804b4afef527bb100668c9c6a190f5bceedb9ba8ef14d4a4c41b86ea8482f2a82f025d456308c28c6a58748346286ae61ed37f637
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz662Ydq/:SnAQqMSPbcBVQej/1INR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2932 mssecsvc.exe 4448 mssecsvc.exe 372 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3380 wrote to memory of 1616 3380 rundll32.exe rundll32.exe PID 3380 wrote to memory of 1616 3380 rundll32.exe rundll32.exe PID 3380 wrote to memory of 1616 3380 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2932 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 2932 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 2932 1616 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15d0052e957db640db952d6c54490080_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15d0052e957db640db952d6c54490080_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:372
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD549ad63f2ce10ba785865ad8ee0ba515f
SHA15701c87ac35aef938dbb4e2546a8a59818eb3929
SHA256f36e63e66ae9ff5d46b22006ddaba809adc8ac7c8137177b84973397a714dd5c
SHA51201f9ba4061f968a91fb0713977fadae41e85c369f1fa7bbb4dd4458bdc58c41a62f3fd628d94d386c4986fb91d10204e6816250ddc280ae612d10d0e4eb227bf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56055c9a8d5adac5317ead81707b2f68a
SHA1486ab8a40bcecb4340f12c9d7c4ed0e37121dd61
SHA256182d74b62eb92e1b126572511abe2c0509543ea7392709bd701e0f5762ed1480
SHA512ad1eb7da6c0f550e873dc5d00bf1c94c398475052e03e1bbcee7a983d82862539d69be40eab952bd173f1fc43e41e76b49d23b78ef77223b16002d770a3e250a