Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 11:59
Static task
static1
Behavioral task
behavioral1
Sample
1791e7c46df7497e07fd0f678beaa31c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1791e7c46df7497e07fd0f678beaa31c_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
1791e7c46df7497e07fd0f678beaa31c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1791e7c46df7497e07fd0f678beaa31c
-
SHA1
7f6616a77325c892ec4c63ae1ca5f0d245722fd6
-
SHA256
368b1de4a66ae6549b5eadcfcee496ced9774011a890695fe12b355be546b6dd
-
SHA512
8b2b43cb2231f7a2dc612cf02b96d0437443a65df3407f3030d5a9a1692ee24f384d88ede82d8180348f9577387dc9fad92bae6fe7dfdfe25e0690ed034db855
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593jJ:TDqPe1Cxcxk3ZAEUadzj
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3676 mssecsvc.exe 4760 mssecsvc.exe 4800 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2616 wrote to memory of 3544 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 3544 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 3544 2616 rundll32.exe rundll32.exe PID 3544 wrote to memory of 3676 3544 rundll32.exe mssecsvc.exe PID 3544 wrote to memory of 3676 3544 rundll32.exe mssecsvc.exe PID 3544 wrote to memory of 3676 3544 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1791e7c46df7497e07fd0f678beaa31c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1791e7c46df7497e07fd0f678beaa31c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3676 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4800
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5dafd24f0332020c02cae120daab8d23f
SHA12298edc78f1f1272edc6ebe7025b1c7d6b8de149
SHA2568c7064e5ed8b066fca9d4f664b867a3fdfa9fc082d2b0881b5fad1d1e6f1cf93
SHA512068c00fbdcdf12480a1e97c14eea4d71ec40cea85fdb269d8b4a8d991afbd3123e486d5232423a57b98a3d30394567cb9478c2bb9e902120f33133efe4ce2d25
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5284f10c58b66585774132d225d98cef8
SHA160a48bf489753d74e31526cd8de8a92a65d9e34f
SHA256b46a1e8230fa494e873c631e7ecfbce736dfad6167479cd039dcd44769574f95
SHA5123c465527a711eee7d55bddaaf41036418c9dab214d099f145409a4f10a6e4ffeadd33a3f0c62830124df2bbe56de3e41647836651e7df6458510d661614f702a