Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
293dad9bb59b93e223dcfc260aa824d9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
293dad9bb59b93e223dcfc260aa824d9_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
293dad9bb59b93e223dcfc260aa824d9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
293dad9bb59b93e223dcfc260aa824d9
-
SHA1
f85b522b9108b1a6c9cf7e754d4f74994170c973
-
SHA256
8a09b786eadcc876bb3251b38f96248fec296615337329459a76c7bd3337ba0f
-
SHA512
24bec12450524db99b4d971cab42e9445f7994d43381ae77d994ba5635be99928ff136c76335ec01252a881e4fb7d71426d7b64c05008ecbb82f4e61e113292c
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQeuZtk6Qo+:SnAQqMSPbcBVQesi
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3055) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3400 mssecsvc.exe 3828 mssecsvc.exe 3364 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4968 wrote to memory of 1552 4968 rundll32.exe rundll32.exe PID 4968 wrote to memory of 1552 4968 rundll32.exe rundll32.exe PID 4968 wrote to memory of 1552 4968 rundll32.exe rundll32.exe PID 1552 wrote to memory of 3400 1552 rundll32.exe mssecsvc.exe PID 1552 wrote to memory of 3400 1552 rundll32.exe mssecsvc.exe PID 1552 wrote to memory of 3400 1552 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\293dad9bb59b93e223dcfc260aa824d9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\293dad9bb59b93e223dcfc260aa824d9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3400 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3364
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD568de9ead67aedc561050fcc0f8e6c138
SHA1f0f8f29cad1a915c43e308091d7b03a6d9b354a6
SHA256fce9d0f745ed503ca1f4366daab401a37bf272ece6d1e936994ac57738e68869
SHA5125a8241c462574be544eda2e8ae1540866a07b9fae8885061091c082025652debeab7b8e03b91f9cf21e252bcb7394c62c09cdfe0024bd3745426184db8f0bb24
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5498f716dd84ff34aeeab0247df4fe5e4
SHA1dd446a7dd504cbc861d6131bb4ef1f07540051ae
SHA25657bbdac9b814d93aecbb92ebcbc654f1230687d8df473db5d08266b3e5cc0c52
SHA512eb2b9bcdd776a68487e888a1948884ad067125bacaa471dfcec83e2332e9b8eb8d44fa73d7110671bdbee26ac2983a8b74543c82ca1510b7d14f0fcdfce79146