Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
221da742042dcc298ae036cb8980377c_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
221da742042dcc298ae036cb8980377c_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
221da742042dcc298ae036cb8980377c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
221da742042dcc298ae036cb8980377c
-
SHA1
f1efdd52ef577eb524f3d3e8b6a491f47556384b
-
SHA256
43eb8b457d85e28d41061644f6559627605cb22be446c1e5629d2bdaa75cd9ac
-
SHA512
f9500f0246cbb53272ff1c41f25e7f3910040068e6abd01083ec8050033ef46bd359de1d9b38dfaf76cbfa6cc330d017cc9fadf913d9a24235e307f5d8449839
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SADYoP3R8yAVp2H:+DqPe1Cxcxk3ZAXR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4036 mssecsvc.exe 2660 mssecsvc.exe 3168 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1088 wrote to memory of 4600 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 4600 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 4600 1088 rundll32.exe rundll32.exe PID 4600 wrote to memory of 4036 4600 rundll32.exe mssecsvc.exe PID 4600 wrote to memory of 4036 4600 rundll32.exe mssecsvc.exe PID 4600 wrote to memory of 4036 4600 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\221da742042dcc298ae036cb8980377c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\221da742042dcc298ae036cb8980377c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4036 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3168
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a13f75aa6f4911570841a9d5aa7e2499
SHA1b25916ee75a62376c9c50976d9fdc29a537f3366
SHA2569d52cc156a518a35542d1780a1eaf04939a917ddec039a96f2846fc09ddc139c
SHA512f0b4c7da006535909ff247f5d80f5f8e9a261b6090125155bea5e327b9f0a1a4ed604c9acbb02c8abfaf4d39ad9ef028ae65ca7733ec6bb79f744a3b0db7f162
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e6b7a6e8edb9536703747f47be11526e
SHA13d50e0508cab4b9fbfe89e7a3162de10dc36c38a
SHA25687306aaf0d65f9144bf6f84236bc604f59993b891a59906cec340b66edc128ff
SHA51286b5f8cba5d15bf00a709192c287befd96900e8124864a54d50f860ad32304f3afc77a7a56e6b9c175c7b58cf4e4d2d77ed239ba7b60717414d89438d6eb322e