Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 18:45
Static task
static1
Behavioral task
behavioral1
Sample
2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2b5e4a20e51f0f7bed2565c010ab1dee
-
SHA1
c5304256094a518eaaae1fbedc38043a0ce220e2
-
SHA256
b92b23cfa7f789dd39d433b719e7dc35b9951572f89683b605eb7c89605f50b2
-
SHA512
3a87958db4fc1f27869c0dbf8f61ced5afb6de98aa6c7c6801bdb04518712a1225859b371b3900518662c94985ca4d110715c1bb0138793128d6ea8d7f8907af
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3312) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4440 mssecsvc.exe 2964 mssecsvc.exe 4444 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3280 wrote to memory of 3584 3280 rundll32.exe rundll32.exe PID 3280 wrote to memory of 3584 3280 rundll32.exe rundll32.exe PID 3280 wrote to memory of 3584 3280 rundll32.exe rundll32.exe PID 3584 wrote to memory of 4440 3584 rundll32.exe mssecsvc.exe PID 3584 wrote to memory of 4440 3584 rundll32.exe mssecsvc.exe PID 3584 wrote to memory of 4440 3584 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4444
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5977621394af98d1f8662c2bc70b0cf35
SHA15747817e856b91b88b5a95109c42e2f90a732208
SHA256fee9b88cad1cc384803a94f00fd14a42cf2dedfd0fcbafe6b015ba5cb6869477
SHA51270b3bd576eaa1fac3ecedf3f47f54e20c9e9b360e94fb2de555e55396659fc6fa38f97380f9224a71a6d7505ab4973f900dc01ddf115f84c9bee72f511ec753e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58418e859695aa3b3d1065d45ab6c04c0
SHA1e042ff2399094fd6900f3d742a61bb79a70cd574
SHA2569063ef121d0e2aa30b0c3139238efd74349f929faa989f6137c42fa0fb2aa2bb
SHA512061d34ee7651ed030c17995ec5ad64deeec552c129660eee6846d5a948e29d26832f0743abc279aa9ec0e13e402a3b3e429c4487095a6d33bbe27717b1d76b92