Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 07:59
Static task
static1
Behavioral task
behavioral1
Sample
16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
16b81e7be5881e4d21e3330bfb951a81
-
SHA1
18686a14f40b7349eaf6ddc1bdad8737840b9186
-
SHA256
82a0d5ac32187da31b69923155997abab150b43d5cd215aebba73893c35679e1
-
SHA512
13460fd5eff2e0c19531c2f822e7a17180a37c0fd503852b0cfab91baabaf7687a37681468d57efa33819cff5e84f1daa3b6d593d308ded2609c94af219bf042
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4584 mssecsvc.exe 4988 mssecsvc.exe 1520 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3228 wrote to memory of 1228 3228 rundll32.exe rundll32.exe PID 3228 wrote to memory of 1228 3228 rundll32.exe rundll32.exe PID 3228 wrote to memory of 1228 3228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 4584 1228 rundll32.exe mssecsvc.exe PID 1228 wrote to memory of 4584 1228 rundll32.exe mssecsvc.exe PID 1228 wrote to memory of 4584 1228 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4584 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1520
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f4b7cb06e9c9796fa0c416dedf928b15
SHA15936e3ab9b36e5a435bae852f9e1714bab820224
SHA2562d8fe1c77c3f60b0196ca1d39706bfb88d587e11df2c6bddcfa8bfde5015b029
SHA512c714ebcc7e5f10f4f5e0a39cff45a82d4d04b3a621c6027227e405a5b87558c77ec03095218ac9b4d0f34858ff0388e46fcce2c70bd330e304f63c536d11cc26
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59c49e94d5e4d8204aa66093b625339fc
SHA1de172a9dd2026c19273e4fc4d0977510e8333ddc
SHA256fa8b4e1d3cb30b9f47202c1f4fc5ca6ab14a2cc5da0b37dd2cce487b04171a9b
SHA512f5749b5a072a7f81a49fd8dfc47a0f98af8b7e117227c278619145e556d3624115a86a4b51e1ef038ee7d9eb28cd6ad367b4ff4adff0e8bd92d602e1a7ba12e8