Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
26ff9a0d6e9b947b5c476286f2306850
-
SHA1
5cc5f9f10e24dc87edd2046cbf07d2c4c78ecba3
-
SHA256
6404a8df234f2da6f6ebf9196f1e746fd22a04c5ff2794faeecacf93794883e8
-
SHA512
5d922ef9921660a4186a1224e07215943204d88bac1fe34e26fbd75930755a80ea6840cc5dba524b37e977d3388d07f783d65713054574fd21809baedd09413f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0zpcL7nEaut/8uME7A4BGccEAHYkRGra8oQPe:SnAQqMSPbcBVzaEau3R8ZZROAx
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3152 mssecsvc.exe 1596 mssecsvc.exe 228 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3044 wrote to memory of 2236 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2236 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2236 3044 rundll32.exe rundll32.exe PID 2236 wrote to memory of 3152 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 3152 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 3152 2236 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3152 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:228
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD580ae678346ca878eb852b1417cede4b9
SHA1b45c51308a8f50bdc12b549a8a230654ae6aee33
SHA25658066735988212568a4b5b557b124e2bd5a801962d8b70a1db4812a9bfd2d5b4
SHA512181b23000caaa36d702a23dd06719c37e5d0b9e3c4b8f693139e3e45594deb27f6c5463da3cc61a6526836d0c9ac7c48896c4d265a20bb66a3da9f23340886c2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ebafaed3b3f761bf8f4b4babd9abbc24
SHA1d6de46221231a0bcf8049233efa0d46bc5a603e3
SHA256f1ec161e18d514d574e7c066c97eb5bd702c56408085e91319b33d2075f6adf7
SHA512c2852b375c60caf73f96ec91a69a40f63d970d0363b559d70bc6816c934e169dae175e4b007df12077d41cd51a9987fd27d6c863aaaa5101454a5ebbee0eac5a