Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
1e007b414085a1219d9cce4421396985_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1e007b414085a1219d9cce4421396985_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
1e007b414085a1219d9cce4421396985_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1e007b414085a1219d9cce4421396985
-
SHA1
9cbe2960476907fc1d000edb950a50e672b6d2c7
-
SHA256
11c19920ef168df4545e9e3984e99921c5010d00c3464747708bb1eff0c805a1
-
SHA512
fbe4608bb23fdb05f0bb1cb63ca65a50a9a36e75cce59fa66086ac58b18a1bf771cc24ef39ce994fdfdb56c1b1600b41048d41af23b06faa4ba6f772c6e20064
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8h:TDqPe1Cxcxk3ZAEUadzR8h
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3120 mssecsvc.exe 4880 mssecsvc.exe 2140 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 3416 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 3416 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 3416 1240 rundll32.exe rundll32.exe PID 3416 wrote to memory of 3120 3416 rundll32.exe mssecsvc.exe PID 3416 wrote to memory of 3120 3416 rundll32.exe mssecsvc.exe PID 3416 wrote to memory of 3120 3416 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e007b414085a1219d9cce4421396985_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e007b414085a1219d9cce4421396985_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2140
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54273e84188d97b57df0fb5c56b7c9f88
SHA1c18add2e7dfcbec8101cb63e716fdfb3f7548d09
SHA2569ba491aa2bcd81fe15f28b15d0a9776ab93a3b824500850278af6feb1b89ad24
SHA5123ecc9cefa43ffd7354d90576e3643cc24f77688027fae924f59b73af59d690a286352ed54616ba6536d3f20a2fad28ae78e047c276e31709d538b8fb8117a2d8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e566f5f3d412da087df1ef0b1469c332
SHA17e9a5087f581be60552960b16b3220128d2047b5
SHA256cbb5272b1bc3a4bbb2380f4801cc3f1ea84ba07d03b3bb6b2f32b7716cd50d08
SHA5128e1d0e58d8e09d11f6c93679549c9ae836f2c73192fee9e2db6a7b6032ff6fede11533e227881017213c83fb5ae928cf5c642f5da0f5a1f69149a0637d8dc5d3