Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 03:51
Static task
static1
Behavioral task
behavioral1
Sample
1aa0acd4d6a9ec78e752ec026eaa9a45_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1aa0acd4d6a9ec78e752ec026eaa9a45_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
1aa0acd4d6a9ec78e752ec026eaa9a45_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1aa0acd4d6a9ec78e752ec026eaa9a45
-
SHA1
393eefffd603b15df1a80b3cffd935ad9ccdaf58
-
SHA256
7d2392eab4acd2e9e85e64f2493b96384d2ff976c504adfc5a763492ac76dfd5
-
SHA512
f1ddc68600b5d8aa1bc184cfa8a92c0d73196d97114df57e36e37655542c10a26fa9cc57c7ec76423bd99e8946aacd5005908c02d210f103633878095db9d4f1
-
SSDEEP
12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7S:SbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3334) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1256 mssecsvc.exe 1624 mssecsvc.exe 2952 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1016 wrote to memory of 3144 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 3144 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 3144 1016 rundll32.exe rundll32.exe PID 3144 wrote to memory of 1256 3144 rundll32.exe mssecsvc.exe PID 3144 wrote to memory of 1256 3144 rundll32.exe mssecsvc.exe PID 3144 wrote to memory of 1256 3144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa0acd4d6a9ec78e752ec026eaa9a45_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa0acd4d6a9ec78e752ec026eaa9a45_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1256 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2952
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e375340a1873e9877593e683ded92e5
SHA1616a7f85ec7b9a52d8c3f0aebd0bd4a766e4a738
SHA2565270971d4fd45a6b8e83e21e765284f6539dd6cc84743cd7f6b21f508956a080
SHA5125390a47231aa8fd25b55226c11fe97864354fa630910e7228a5a79550119d28875f026bf1cebbb391d9118c19d494205542cbc9a81207ee5f6144ca6bd049cc7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD512459a4c5dd9e02004a7e06c41058f99
SHA1d34272ab1a4f6ee3747d71ce123193d8af0139d6
SHA256c54e916b40e6db86310eda6dab10582dddce2738a318147ce5d898f06c66a819
SHA5124bb61a4627c6b7135cba19c8575772d52cfe6f04c204805347bcd07b37df77b96927aaff9ea185af1443417999caa462acd3c4ed18a63a3fc3dee01daa619bcc