Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1f07ba6cd1e615b4db669c37e636a5e7
-
SHA1
85476ac2880923def8337cf59d7c1fa7fe13f0b1
-
SHA256
b9012d5f9586f7d4c78daebc34a541fe05d6777fecb389fe1b16874183c3e99f
-
SHA512
0e5d2ad8518af0321a905eae0ca1d075e87b99c2ac1c226b9791b57be82c38f7aead038218b17a7ac92d89fe7f8a5eb16679674745b41ca6868ae273152e64bc
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:+DqPoBhz1aRxcSUDk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1128 mssecsvc.exe 992 mssecsvc.exe 4856 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 860 wrote to memory of 4388 860 rundll32.exe rundll32.exe PID 860 wrote to memory of 4388 860 rundll32.exe rundll32.exe PID 860 wrote to memory of 4388 860 rundll32.exe rundll32.exe PID 4388 wrote to memory of 1128 4388 rundll32.exe mssecsvc.exe PID 4388 wrote to memory of 1128 4388 rundll32.exe mssecsvc.exe PID 4388 wrote to memory of 1128 4388 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1128 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4856
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55bcb3ac0bd827c0336dc10e02c89009d
SHA12c5fc51b0e5e927783b059b4b509a827ec7f8874
SHA2569d9d27aa15122f626ef58a94f2a9a4529a3c5a49e1efbf0df6d9b1e1cba8c9e5
SHA512d335761ac4582659451a20bea4a35f8a2331a7a07b2e3d275b83de26f21b6011f35d116f42ed71c18b377b83a7210f09256362bbe672b907f7e72c4cfa4c7c3f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5db73e31441cfcb4e3df4f90abf93be58
SHA1cec5b1d186ac29e9de354232e7ced75cfaa7dbcc
SHA256ec7921ced5b4b6e1a2466938f5bbbcb37bdbe3e18231bfe474829619427a46a2
SHA5129469b87f95b82afc2b17843cc120585dd4e915bb560fa69e40a54cb752392a339181bfa6923783c63e418ffcef6ed661ff7fc7689828a13732a540c788642861