Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
15e4ec8db5c9de6f88683e7af25b00aa_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15e4ec8db5c9de6f88683e7af25b00aa_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
15e4ec8db5c9de6f88683e7af25b00aa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
15e4ec8db5c9de6f88683e7af25b00aa
-
SHA1
0aec8e94906404bb96aec4b9bcb11ecf5d135f92
-
SHA256
fc876af5eaef6fece93d5de99c403837eaf370558a206fb8ed37abfbe838d7c6
-
SHA512
569999ba8c96ecced0d45f93e59f0913e340a3ae97780a181067ef79e4abc20f6ea0ba008d76b37f7fc2425b9e84df2a5380f9c1d2f53a68c9aff48c32b7ab79
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593:+DqPe1Cxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3171) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3912 mssecsvc.exe 1688 mssecsvc.exe 4500 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 1732 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1732 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1732 1240 rundll32.exe rundll32.exe PID 1732 wrote to memory of 3912 1732 rundll32.exe mssecsvc.exe PID 1732 wrote to memory of 3912 1732 rundll32.exe mssecsvc.exe PID 1732 wrote to memory of 3912 1732 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15e4ec8db5c9de6f88683e7af25b00aa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15e4ec8db5c9de6f88683e7af25b00aa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3912 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4500
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56f310920edff3c84a45e35bcfd0ff2c8
SHA1a66dc06934b5d8ef2c28dbbe27dc9db68d778d31
SHA256319aaced3afbfa56cb9747b8db890eca873b524fa5f2ca14be10a942392e07d0
SHA5122cdec2718f712b088c5b0b56e9be617b1af927f8f1ef0858841353b4d3b1a4c7f1b8b0a954ae7f5e250f3a456c596286dc69411433a9a776723cc386a39a59b2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50df88d2736c354348cc927d3fa3e6032
SHA1496bfd729b0d2043f8f585d4e6bd3384ab5410d5
SHA25602a9d389c598159d11719b99c241a03fb3f7900691872ea216a0dae43b2b830f
SHA512d8325c77bb0adb4804346decda5fafcb69163689b7f0896ca8867969f87b8d39f749bf8f40a0a546e652bc18bc93d02bc2c6480c2180fb8d58eb45bf67bc5833