Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
23bf1b61c93c034a3c70831b6e8a4d70
-
SHA1
93169ea4673c1ae96a419af53bb0d8f78f0f3036
-
SHA256
a6d9d43e0cdb001b30bb74e5a3ae6522283f1ec7390ec6d44ff0ed68d04756f4
-
SHA512
65c25fa577fa9962a94615c6f6057f710e3d41ca6a887f4419cfec3262602c8148d52e5793639fc2f3de7b2e844f74b5f2d58c6b53a312ed5c98fa3ab65dcbae
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmiF2:SnAQqMSPbcBVQej/1INRx+TSqTdX1Z
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3238) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1120 mssecsvc.exe 3776 mssecsvc.exe 4412 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1200 wrote to memory of 4748 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 4748 1200 rundll32.exe rundll32.exe PID 1200 wrote to memory of 4748 1200 rundll32.exe rundll32.exe PID 4748 wrote to memory of 1120 4748 rundll32.exe mssecsvc.exe PID 4748 wrote to memory of 1120 4748 rundll32.exe mssecsvc.exe PID 4748 wrote to memory of 1120 4748 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1120 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4412
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5316630ad6353535d7fe76672084c999d
SHA1c687aa75e9b8fb423b97594798dfe695d59e77ad
SHA2566e1bf8d9364d1c960333b94dad18f495a3102dcd7e331cc812b86cc618c11001
SHA512a8f8963906bcbf5270154e6c8f79460b57bd46c93eee89a7159e050751973ebbc29266ecb59e845cc43c5cf8809b0960cc2dc574400d0b97951910072ac56bdc
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a8a5648c965e7cc33834649945b0ada1
SHA16832ac6ca58fb0df0e62d468f05f40384ed2e6cc
SHA256b77418da3c992bb912c45edc099401e016cd0b0e4037cec3558d663cc8562619
SHA512a51bf34b6bee544d0034bfedc41336da54c3f6c90bdab8cd6b637b00932b6863e1adb59556a5a8464c567176f8fc1c7c1d354492ce7d971def793d7f7e8b553d