Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
27ace7fc9afc3b8dbaa5dae64f372ba8_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
27ace7fc9afc3b8dbaa5dae64f372ba8_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
27ace7fc9afc3b8dbaa5dae64f372ba8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
27ace7fc9afc3b8dbaa5dae64f372ba8
-
SHA1
9ec99cd92eb2fe5513d9b8eb4f76fb22586f68dd
-
SHA256
cba172a00f392dcc0774dba22d714884e2cd898e83066f46e8c89f4bf96a4a00
-
SHA512
0bc8081c15fd2f034aa94addc0392a442b997e6eae41cad5c874f87be71027f0049df53dc286329b7a5b533896a5a1ab614abbf2d83f69503c4335a66fe9c1d9
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5xdWNp2H:+DqPe1Cxcxk3ZAEUadPdQ4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4456 mssecsvc.exe 2920 mssecsvc.exe 2132 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4960 wrote to memory of 5100 4960 rundll32.exe rundll32.exe PID 4960 wrote to memory of 5100 4960 rundll32.exe rundll32.exe PID 4960 wrote to memory of 5100 4960 rundll32.exe rundll32.exe PID 5100 wrote to memory of 4456 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4456 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4456 5100 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27ace7fc9afc3b8dbaa5dae64f372ba8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27ace7fc9afc3b8dbaa5dae64f372ba8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4456 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2132
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50d93f1767928a396702d48d07f0f5dfc
SHA175447c3b6898034879892527dd6ec78c69a2360b
SHA256cb8b368c8bd75ef51b5a72c74042de8f23d15658256e503042d214630f5bc02e
SHA512872a33b16ea79788a4cfaddde16024160d653e71284097e473b76042fbee721bd6ac1077b19d72d682696d3f62102a42e573c0b21639b4b61a0b8d457590918d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c06c9fa6f83b8aee9f29e9e7e44f66f3
SHA1d1a506d93ad085609cd330db72028ccaac7fd045
SHA256e5df4290422fe76ce7d01e5d54fd7a19f47fa0d2c415018187ebc33f7503ac81
SHA512cdc0c3f6aec5ce088d3cde333bc4cc4b3cf088a7ff12566f490d05409ef72ea532405fb2ace5cc370143335436e1b37584f265c8dc69c3af68ef070f8a523b1f