Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
27b1909032fd61c8538946b80e1196d7
-
SHA1
068db3c25da3037222a410cdbfa4582daaff7187
-
SHA256
462083a9b81e8eec6f13754f3d0029cd219a595b320240d2eb8f30d9e5337ed1
-
SHA512
f22324929c57c480d1d854962f49e74fb03ab8d676fb3b4e2ea674cdaa4f97580251ba6d7eace1c814fdf4e9665ef45fe5c8d24c8c6ff937c67decd54e90a700
-
SSDEEP
49152:SnAQqMSPbcBVlvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBDxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3068 mssecsvc.exe 4640 mssecsvc.exe 2968 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1368 wrote to memory of 1520 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 1520 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 1520 1368 rundll32.exe rundll32.exe PID 1520 wrote to memory of 3068 1520 rundll32.exe mssecsvc.exe PID 1520 wrote to memory of 3068 1520 rundll32.exe mssecsvc.exe PID 1520 wrote to memory of 3068 1520 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2968
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD559e8cc0c47218b4a075e1b2160be005b
SHA1ad69fdc23c8cb78bb510f2a81249c1d44de3a444
SHA256d3b8f9a918475a0df82ec293bc6abd316361c974f52b6f41a8fa0bc5beca4f2f
SHA5129aa2278d118cc621d87cadaa2520b8d1642569b212bb5ec4ebcd931accfbf019a491eefd92154b2a01d14591a2768dd35202edf574107f8ce2fecde7101f411b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d7977f48fb94d0bdf4cf2345275b3e8b
SHA162bb02a791cd17e3caec26daed70a5bda1564c78
SHA256886a4559dc242d64ebd97faaadfbd31b8c448d7d84a686fa3e5ff208fa93c0c4
SHA512af4b9ba90ec4c81e414343b99ca7beaba398d3f9b98f705b30432c0a5ecdf28c8d194a95c4168a7781162ccc142f127d3e0ed7fd5f0f01ed276e81b9d9643472