Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 23:05
Static task
static1
Behavioral task
behavioral1
Sample
2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2c2619f19a487324e0d8a771b660e2d5
-
SHA1
0767faa743ed4700df19d9862b9049496946c205
-
SHA256
ff74642f90c3b465f9cbf420e97a75b08af9a06eaa44ffd84023661aaf965ac6
-
SHA512
615065c9e6c0bed1079f59f7be43b5398128e0b08c833f6eddf0636965297b97c3083773719eabb120ebcd76ee0a93fda58779377e51f31ab3ecbfbb8416cc9b
-
SSDEEP
98304:+2NPoBhz1aRxcSUDk36SAEdhvxWa9P593Ry2H:+2NPe1Cxcxk3ZAEUadzRxH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2158) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4460 mssecsvc.exe 3664 mssecsvc.exe 4732 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3580 wrote to memory of 4724 3580 rundll32.exe rundll32.exe PID 3580 wrote to memory of 4724 3580 rundll32.exe rundll32.exe PID 3580 wrote to memory of 4724 3580 rundll32.exe rundll32.exe PID 4724 wrote to memory of 4460 4724 rundll32.exe mssecsvc.exe PID 4724 wrote to memory of 4460 4724 rundll32.exe mssecsvc.exe PID 4724 wrote to memory of 4460 4724 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4460 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4732
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fafa048771a311fb2dcb96fd7f30b9c2
SHA1f7bb4f6a82bb5e616a574c41b60cd3029a5b9f04
SHA256cc2561122111e0252c2050d91fea69445c996b336e7b2dfe09a082a46b4e54ff
SHA512ed8f4b2262221fc96a18f3b7b860baf9408c3aac4825781655af9a4e85dd0fe2b14c516ebcb734a95273c757fa15f690960df09f48550043838f47e0f1616b7f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b37d5af62499cd8f31269fcb141a3c24
SHA15fd44fe4e95b4dec2e85e896110c833165edd14a
SHA256accce946b284fd8ec10dbf389fd8ab122d81801550551c08a0264343f82164ad
SHA5125313dd5880ab10365de0e179bf4a0cd50d64c9e2e51e00a4bcf73e4947133c466f57aae89c64ca7a650021c5149983973c52fb5ec6daa7d46c5f7b2fedf40c1f