Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
272c2091af2a86707aad37c311833152
-
SHA1
24dc6608fcda83c32386154231c5f317442bf054
-
SHA256
61fb253b656b4ec88782baaf9e8e741e32789dce3ced825e65edafc0a060cc09
-
SHA512
ab87f2093012314d4d17fcd70bec10ab1b7d1651917651dca6949aa0b40c97395f86a6353a126e4dd0e6f972dcd3411295c560ebb7414fb9772b5889dd014b95
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVEr7CgNt1F0vnwqYYcIOzidenqEAqb:zbLgddQhfdmMKkqYYLZW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3248) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4928 mssecsvc.exe 944 mssecsvc.exe 3784 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4548 wrote to memory of 1768 4548 rundll32.exe rundll32.exe PID 4548 wrote to memory of 1768 4548 rundll32.exe rundll32.exe PID 4548 wrote to memory of 1768 4548 rundll32.exe rundll32.exe PID 1768 wrote to memory of 4928 1768 rundll32.exe mssecsvc.exe PID 1768 wrote to memory of 4928 1768 rundll32.exe mssecsvc.exe PID 1768 wrote to memory of 4928 1768 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4928 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3784
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a14940982d106793db3fe9ff40ce8715
SHA1838065abf69b9227f1439da90e70fbcea80f8c72
SHA25652bd0d456735ce4f4e54e219e28717061fefc18ec25df16d1b267ce64a1c1bf9
SHA512f6442e0317b691e35e8d27772b614595f1b28a5f7e3256a9c001c186e6a408f5eacc7f78c5d0a7d6e326038f296cdf7bbcefb924ad8b83941374e45510282734
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e3ebe4b64382f80797bb8acfde1dd60e
SHA1e4d63cc604e6b917c4f337e5def6e192b4251a39
SHA256cc70de3779ee5c15815f7d8a47eedae8acf61d63b72576fae707da658d6859d0
SHA5122641b36546170cd308c279ce94da99dfec425641fd2c8d3fcbc29f8a9256bb8b021ad18d4245661c5b69cc8ff4f488772d9d2a942dea6fbc038a5572f6670630