Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 09:45
Static task
static1
Behavioral task
behavioral1
Sample
17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
17170c1f1663bdacaca24eaed2281aa9
-
SHA1
f1ed4fc5b1510cd1316b70e4983c206ac8880491
-
SHA256
e83bd29e930711a59ecc689134009dca11e954f4032b0e873af291d75b4bab9b
-
SHA512
abbe062a8de67f75ae2bbcb7476ccd7e6a1e55479b88dc6ad08f0f427eebe6481546c5d3d43784d94b1f68ce125f50b406d8f314e2850a6e8265395d659fd111
-
SSDEEP
98304:TDqPoBhQRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPZxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4408 mssecsvc.exe 2900 mssecsvc.exe 3388 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2936 wrote to memory of 4744 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 4744 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 4744 2936 rundll32.exe rundll32.exe PID 4744 wrote to memory of 4408 4744 rundll32.exe mssecsvc.exe PID 4744 wrote to memory of 4408 4744 rundll32.exe mssecsvc.exe PID 4744 wrote to memory of 4408 4744 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4408 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3388
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55880cf6009b2b3cd51893b0c2c931b40
SHA116236d72b808efd99ffc40122438795a7217b657
SHA25674fac56bc2a8cf61050e5665f8c8d027b2d08b19d07ec653528f6937192b3f7c
SHA51217cc77a5b817484bdc5f2e14523009998dd366954f13a517eaedb7b76dc21a329b92d7f125ce72b6803982f58ccd4ca19945679016adcaaab7c8bc608e0ede9b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bf04d24e103bd90df3955cbd0a9ab0fa
SHA1f62a37ffe2e1961aee9fa0ec9e7aaebdd9318a46
SHA2565442f2caec423c11be2a9d023e91047097e0f0075b605ddc7fb722fe812ffddc
SHA512e1826b17a7d297c08e9bc334176b00112c25525f42904ead1e3571dbbddf99fb53d34981015418af9f7dc57129d0509d3a3dc523bdcbf10021afc1fc1ced8c09