Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
1bf8b8b561014a3ad69ace91474f1646_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1bf8b8b561014a3ad69ace91474f1646_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
1bf8b8b561014a3ad69ace91474f1646_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1bf8b8b561014a3ad69ace91474f1646
-
SHA1
22f69b3a4e89651a4e99e5a896acfb91eaa73e11
-
SHA256
546ced084270416e021ce724e69a6ebcb663a4aa84374032febdb6179a8f58d7
-
SHA512
beb8fc131b215198c30e9fea409ef8a8f20d5d40ee5bd4618159d9633dfdd852d8dec0cd5aac6ebf513047f3c4733d2612c45a26a840e40da558d2eee920d1a1
-
SSDEEP
49152:SnAQqMSPbcBVarHV7Yo9AMEcaEau3R8yAH1plA:+DqPoB2Yo9593R8yAVp2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4784 mssecsvc.exe 956 mssecsvc.exe 3868 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4020 wrote to memory of 4556 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 4556 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 4556 4020 rundll32.exe rundll32.exe PID 4556 wrote to memory of 4784 4556 rundll32.exe mssecsvc.exe PID 4556 wrote to memory of 4784 4556 rundll32.exe mssecsvc.exe PID 4556 wrote to memory of 4784 4556 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1bf8b8b561014a3ad69ace91474f1646_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1bf8b8b561014a3ad69ace91474f1646_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4784 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3868
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD521bc29f9f7e1b024bd83c747f64f2202
SHA13b8b1629598c44a985e0cc37e2ef215ac132d530
SHA2565d0371696e32ccf413c4330139b169d933318f3ac46a5798f84ac71ff95a4737
SHA51256469048aa56b47b40cb7d24d7023edc9ac5effd1ccd4c392cbc4a807fb6a87e34e33a15712144b5266a7640ac4ab4237a352a04476a7a04ffc15a9c64edc32e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c5eb2b63bd2453b9acb1040a1af2b2e6
SHA1c3ee70b9caa0cf4c9813c87b2c7e4f288a90dbdf
SHA256f55d644951b2bacb530dd48a7bd74f2e33afc8a870b1dd1f01cb4d0fd30d6fe1
SHA5124cd8ba3fa4e81434c1d2ea5422befbddc2d98f6750f020490aaed9bcdda827f68de0d2f9abc17e43f1e00826c6d35c04558e8ed60d04536b0400199da120c48f